From 027d47f36d5e77b24a925d19c987fc43151baa17 Mon Sep 17 00:00:00 2001
From: djm <>
Date: Thu, 3 Nov 2011 02:32:24 +0000
Subject: import OpenSSL 1.0.0e

---
 src/lib/libssl/src/CHANGES                         | 136 ++++++-
 src/lib/libssl/src/Configure                       |  15 +
 src/lib/libssl/src/FAQ                             |  53 ++-
 src/lib/libssl/src/INSTALL.VMS                     |  52 ++-
 src/lib/libssl/src/INSTALL.W32                     |  22 +-
 src/lib/libssl/src/LICENSE                         |   2 +-
 src/lib/libssl/src/Makefile                        |   2 +-
 src/lib/libssl/src/NEWS                            |  41 ++-
 src/lib/libssl/src/PROBLEMS                        |   4 +-
 src/lib/libssl/src/README                          |   4 +-
 src/lib/libssl/src/VMS/install-vms.com             |  67 ++++
 src/lib/libssl/src/VMS/mkshared.com                | 227 ++++++++----
 src/lib/libssl/src/VMS/openssl_startup.com         | 108 ++++++
 src/lib/libssl/src/VMS/openssl_undo.com            |  20 +
 src/lib/libssl/src/apps/CA.com                     |  98 ++---
 src/lib/libssl/src/apps/apps.c                     |  11 +-
 src/lib/libssl/src/apps/asn1pars.c                 |   1 +
 src/lib/libssl/src/apps/dh.c                       |   5 +-
 src/lib/libssl/src/apps/dhparam.c                  |   5 +-
 src/lib/libssl/src/apps/dsaparam.c                 |   9 +-
 src/lib/libssl/src/apps/enc.c                      |   9 +-
 src/lib/libssl/src/apps/gendh.c                    |   5 +-
 src/lib/libssl/src/apps/gendsa.c                   |   5 +-
 src/lib/libssl/src/apps/install-apps.com           | 107 ++++++
 src/lib/libssl/src/apps/makeapps.com               | 316 ++++++++++++----
 src/lib/libssl/src/apps/openssl.c                  |  64 +++-
 src/lib/libssl/src/apps/pkcs12.c                   |   2 +-
 src/lib/libssl/src/apps/pkcs7.c                    |   5 +-
 src/lib/libssl/src/apps/rand.c                     |   5 +-
 src/lib/libssl/src/apps/s_server.c                 |   5 +-
 src/lib/libssl/src/apps/s_socket.c                 |   7 +-
 src/lib/libssl/src/apps/speed.c                    |  14 +-
 src/lib/libssl/src/apps/x509.c                     |   2 -
 src/lib/libssl/src/config                          |   4 +
 src/lib/libssl/src/crypto/Makefile                 |   4 +-
 src/lib/libssl/src/crypto/asn1/a_int.c             |   3 +-
 src/lib/libssl/src/crypto/asn1/a_object.c          |   4 +-
 src/lib/libssl/src/crypto/asn1/a_strex.c           |  17 +-
 src/lib/libssl/src/crypto/asn1/a_strnid.c          |   2 +-
 src/lib/libssl/src/crypto/asn1/asn1.h              |   2 +-
 src/lib/libssl/src/crypto/asn1/n_pkey.c            |   3 +-
 src/lib/libssl/src/crypto/asn1/t_crl.c             |   3 +-
 src/lib/libssl/src/crypto/asn1/tasn_dec.c          |   3 +-
 src/lib/libssl/src/crypto/asn1/x_name.c            |   7 +-
 src/lib/libssl/src/crypto/asn1/x_x509.c            |   4 +-
 src/lib/libssl/src/crypto/bio/b_sock.c             |  29 +-
 src/lib/libssl/src/crypto/bio/bf_nbio.c            |   2 -
 src/lib/libssl/src/crypto/bio/bio_lib.c            |   4 +-
 src/lib/libssl/src/crypto/bio/bss_acpt.c           |   5 +-
 src/lib/libssl/src/crypto/bio/bss_file.c           |  12 +-
 src/lib/libssl/src/crypto/bio/bss_log.c            |  32 +-
 src/lib/libssl/src/crypto/bn/bn.h                  |  18 +
 src/lib/libssl/src/crypto/bn/bn_exp2.c             |   3 +-
 src/lib/libssl/src/crypto/bn/bn_mont.c             |   2 +-
 src/lib/libssl/src/crypto/bn/bn_mul.c              |   9 +-
 src/lib/libssl/src/crypto/comp/c_rle.c             |   3 +-
 src/lib/libssl/src/crypto/conf/conf_api.c          |   3 +-
 src/lib/libssl/src/crypto/conf/conf_def.c          |  13 +-
 src/lib/libssl/src/crypto/cryptlib.c               |  21 +-
 src/lib/libssl/src/crypto/crypto-lib.com           | 339 ++++++++++++-----
 src/lib/libssl/src/crypto/dsa/dsa_gen.c            |   3 +-
 src/lib/libssl/src/crypto/dsa/dsa_ossl.c           |  20 +-
 src/lib/libssl/src/crypto/dso/dso_dlfcn.c          |   1 +
 src/lib/libssl/src/crypto/dso/dso_vms.c            | 179 +++++----
 src/lib/libssl/src/crypto/ec/ec_mult.c             |   6 +-
 src/lib/libssl/src/crypto/ec/ecp_smpl.c            |   3 +
 src/lib/libssl/src/crypto/engine/engine.h          |   3 +
 src/lib/libssl/src/crypto/evp/encode.c             |   3 +-
 src/lib/libssl/src/crypto/evp/evp_enc.c            |   1 +
 src/lib/libssl/src/crypto/evp/evp_test.c           |   1 +
 src/lib/libssl/src/crypto/evp/p_lib.c              |   3 +
 src/lib/libssl/src/crypto/evp/p_sign.c             |   2 +-
 src/lib/libssl/src/crypto/evp/p_verify.c           |   2 +-
 src/lib/libssl/src/crypto/hmac/hmac.c              |   3 -
 src/lib/libssl/src/crypto/install-crypto.com       | 196 ++++++++++
 src/lib/libssl/src/crypto/md32_common.h            |  15 +-
 src/lib/libssl/src/crypto/o_time.c                 |  22 +-
 src/lib/libssl/src/crypto/ocsp/ocsp_ht.c           |  12 +-
 src/lib/libssl/src/crypto/ocsp/ocsp_lib.c          |   8 +-
 src/lib/libssl/src/crypto/ocsp/ocsp_prn.c          |   2 -
 src/lib/libssl/src/crypto/opensslv.h               |   6 +-
 src/lib/libssl/src/crypto/pem/pem_lib.c            |   2 -
 src/lib/libssl/src/crypto/perlasm/cbc.pl           |   2 -
 src/lib/libssl/src/crypto/pkcs12/p12_key.c         |  38 +-
 src/lib/libssl/src/crypto/pkcs7/pk7_doit.c         |   3 -
 src/lib/libssl/src/crypto/pkcs7/pk7_lib.c          |   2 -
 src/lib/libssl/src/crypto/rand/md_rand.c           |  11 +-
 src/lib/libssl/src/crypto/rand/rand_vms.c          |  16 +-
 src/lib/libssl/src/crypto/rand/randfile.c          |   6 +-
 src/lib/libssl/src/crypto/rc5/rc5_locl.h           |   4 +-
 src/lib/libssl/src/crypto/rsa/rsa_eay.c            |   2 +-
 src/lib/libssl/src/crypto/rsa/rsa_oaep.c           |  20 +-
 src/lib/libssl/src/crypto/stack/safestack.h        | 115 +++---
 src/lib/libssl/src/crypto/x509/x509.h              |   1 +
 src/lib/libssl/src/crypto/x509/x509_vfy.c          |   6 +-
 src/lib/libssl/src/crypto/x509/x_all.c             |   1 +
 src/lib/libssl/src/doc/apps/smime.pod              |   8 +-
 .../src/doc/crypto/EVP_PKEY_verifyrecover.pod      |   2 +-
 src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod |  13 +-
 src/lib/libssl/src/doc/ssl/ssl.pod                 |   2 +-
 src/lib/libssl/src/engines/makeengines.com         | 302 +++++++++++----
 src/lib/libssl/src/install.com                     | 219 ++++++-----
 src/lib/libssl/src/makevms.com                     | 404 +++++++++++++++------
 src/lib/libssl/src/ms/uplink.c                     |   3 +-
 src/lib/libssl/src/openssl.spec                    |   6 +-
 src/lib/libssl/src/ssl/bio_ssl.c                   |   4 +
 src/lib/libssl/src/ssl/install-ssl.com             | 136 +++++++
 src/lib/libssl/src/ssl/s23_lib.c                   |   7 -
 src/lib/libssl/src/ssl/s2_srvr.c                   |   7 +-
 src/lib/libssl/src/ssl/s3_clnt.c                   |   6 +
 src/lib/libssl/src/ssl/s3_enc.c                    |   3 +-
 src/lib/libssl/src/ssl/s3_lib.c                    |   6 +
 src/lib/libssl/src/ssl/s3_pkt.c                    |   6 +-
 src/lib/libssl/src/ssl/s3_srvr.c                   |  41 ++-
 src/lib/libssl/src/ssl/ssl-lib.com                 | 295 +++++++++++----
 src/lib/libssl/src/ssl/ssl_asn1.c                  |   3 +-
 src/lib/libssl/src/ssl/ssl_ciph.c                  |   6 +-
 src/lib/libssl/src/ssl/ssl_lib.c                   |  47 +--
 src/lib/libssl/src/ssl/ssltest.c                   |   3 -
 src/lib/libssl/src/ssl/t1_enc.c                    |  14 +-
 src/lib/libssl/src/ssl/t1_lib.c                    |  88 +++--
 src/lib/libssl/src/test/bctest.com                 | 152 ++++++++
 src/lib/libssl/src/test/bntest.com                 |  76 ++++
 src/lib/libssl/src/test/clean_test.com             |  35 ++
 src/lib/libssl/src/test/maketests.com              | 309 ++++++++++++----
 src/lib/libssl/src/test/tcrl.com                   |  13 +-
 src/lib/libssl/src/test/testca.com                 |   8 +-
 src/lib/libssl/src/test/testenc.com                |  13 +-
 src/lib/libssl/src/test/testgen.com                |  22 +-
 src/lib/libssl/src/test/tests.com                  | 167 ++++++---
 src/lib/libssl/src/test/testss.com                 |  17 +-
 src/lib/libssl/src/test/testssl.com                |  26 +-
 src/lib/libssl/src/test/testtsa.com                |  65 ++--
 src/lib/libssl/src/test/tpkcs7.com                 |  13 +-
 src/lib/libssl/src/test/tpkcs7d.com                |  13 +-
 src/lib/libssl/src/test/treq.com                   |  13 +-
 src/lib/libssl/src/test/trsa.com                   |  13 +-
 src/lib/libssl/src/test/tsid.com                   |  13 +-
 src/lib/libssl/src/test/tverify.com                |  10 +-
 src/lib/libssl/src/test/tx509.com                  |  13 +-
 src/lib/libssl/src/util/cygwin.sh                  |  11 +-
 src/lib/libssl/src/util/libeay.num                 |  16 +
 src/lib/libssl/src/util/mk1mf.pl                   |  20 +-
 src/lib/libssl/src/util/mkdef.pl                   |   3 +
 src/lib/libssl/src/util/mkerr.pl                   |   4 +-
 src/lib/libssl/src/util/mkstack.pl                 |  20 +-
 src/lib/libssl/src/util/pl/VC-32.pl                |   6 +-
 147 files changed, 4010 insertions(+), 1391 deletions(-)
 create mode 100755 src/lib/libssl/src/VMS/install-vms.com
 create mode 100755 src/lib/libssl/src/VMS/openssl_startup.com
 create mode 100755 src/lib/libssl/src/VMS/openssl_undo.com
 create mode 100755 src/lib/libssl/src/apps/install-apps.com
 create mode 100755 src/lib/libssl/src/crypto/install-crypto.com
 create mode 100755 src/lib/libssl/src/ssl/install-ssl.com
 create mode 100644 src/lib/libssl/src/test/bctest.com
 create mode 100644 src/lib/libssl/src/test/bntest.com
 create mode 100755 src/lib/libssl/src/test/clean_test.com

(limited to 'src/lib/libssl/src')

diff --git a/src/lib/libssl/src/CHANGES b/src/lib/libssl/src/CHANGES
index b139cf6244..a0de5abb60 100644
--- a/src/lib/libssl/src/CHANGES
+++ b/src/lib/libssl/src/CHANGES
@@ -2,6 +2,64 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
+
+  *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
+     by initialising X509_STORE_CTX properly. (CVE-2011-3207)
+     [Kaspar Brand <ossl@velox.ch>]
+
+  *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
+     for multi-threaded use of ECDH. (CVE-2011-3210)
+     [Adam Langley (Google)]
+
+  *) Fix x509_name_ex_d2i memory leak on bad inputs.
+     [Bodo Moeller]
+
+  *) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check
+     signature public key algorithm by using OID xref utilities instead.
+     Before this you could only use some ECC ciphersuites with SHA1 only.
+     [Steve Henson]
+
+  *) Add protection against ECDSA timing attacks as mentioned in the paper
+     by Billy Bob Brumley and Nicola Tuveri, see:
+
+	http://eprint.iacr.org/2011/232.pdf
+
+     [Billy Bob Brumley and Nicola Tuveri]
+
+ Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
+
+  *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
+     [Neel Mehta, Adam Langley, Bodo Moeller (Google)]
+
+  *) Fix bug in string printing code: if *any* escaping is enabled we must
+     escape the escape character (backslash) or the resulting string is
+     ambiguous.
+     [Steve Henson]
+
+ Changes between 1.0.0b and 1.0.0c  [2 Dec 2010]
+
+  *) Disable code workaround for ancient and obsolete Netscape browsers
+     and servers: an attacker can use it in a ciphersuite downgrade attack.
+     Thanks to Martin Rex for discovering this bug. CVE-2010-4180
+     [Steve Henson]
+
+  *) Fixed J-PAKE implementation error, originally discovered by
+     Sebastien Martini, further info and confirmation from Stefan
+     Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
+     [Ben Laurie]
+
+ Changes between 1.0.0a and 1.0.0b  [16 Nov 2010]
+
+  *) Fix extension code to avoid race conditions which can result in a buffer
+     overrun vulnerability: resumed sessions must not be modified as they can
+     be shared by multiple threads. CVE-2010-3864
+     [Steve Henson]
+
+  *) Fix WIN32 build system to correctly link an ENGINE directory into
+     a DLL. 
+     [Steve Henson]
+
  Changes between 1.0.0 and 1.0.0a  [01 Jun 2010]
 
   *) Check return value of int_rsa_verify in pkey_rsa_verifyrecover 
@@ -849,7 +907,73 @@
   *) Change 'Configure' script to enable Camellia by default.
      [NTT]
   
- Changes between 0.9.8n and 0.9.8o [xx XXX xxxx]
+ Changes between 0.9.8r and 0.9.8s [xx XXX xxxx]
+
+  *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
+     for multi-threaded use of ECDH.
+     [Adam Langley (Google)]
+
+  *) Fix x509_name_ex_d2i memory leak on bad inputs.
+     [Bodo Moeller]
+
+  *) Add protection against ECDSA timing attacks as mentioned in the paper
+     by Billy Bob Brumley and Nicola Tuveri, see:
+
+	http://eprint.iacr.org/2011/232.pdf
+
+     [Billy Bob Brumley and Nicola Tuveri]
+
+ Changes between 0.9.8q and 0.9.8r [8 Feb 2011]
+
+  *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
+     [Neel Mehta, Adam Langley, Bodo Moeller (Google)]
+
+  *) Fix bug in string printing code: if *any* escaping is enabled we must
+     escape the escape character (backslash) or the resulting string is
+     ambiguous.
+     [Steve Henson]
+
+ Changes between 0.9.8p and 0.9.8q [2 Dec 2010]
+
+  *) Disable code workaround for ancient and obsolete Netscape browsers
+     and servers: an attacker can use it in a ciphersuite downgrade attack.
+     Thanks to Martin Rex for discovering this bug. CVE-2010-4180
+     [Steve Henson]
+
+  *) Fixed J-PAKE implementation error, originally discovered by
+     Sebastien Martini, further info and confirmation from Stefan
+     Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
+     [Ben Laurie]
+
+ Changes between 0.9.8o and 0.9.8p [16 Nov 2010]
+
+  *) Fix extension code to avoid race conditions which can result in a buffer
+     overrun vulnerability: resumed sessions must not be modified as they can
+     be shared by multiple threads. CVE-2010-3864
+     [Steve Henson]
+
+  *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
+     [Steve Henson]
+
+  *) Don't reencode certificate when calculating signature: cache and use
+     the original encoding instead. This makes signature verification of
+     some broken encodings work correctly.
+     [Steve Henson]
+
+  *) ec2_GF2m_simple_mul bugfix: compute correct result if the output EC_POINT
+     is also one of the inputs.
+     [Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)]
+
+  *) Don't repeatedly append PBE algorithms to table if they already exist.
+     Sort table on each new add. This effectively makes the table read only
+     after all algorithms are added and subsequent calls to PKCS12_pbe_add
+     etc are non-op.
+     [Steve Henson]
+
+ Changes between 0.9.8n and 0.9.8o [01 Jun 2010]
+
+  [NB: OpenSSL 0.9.8o and later 0.9.8 patch levels were released after
+  OpenSSL 1.0.0.]
 
   *) Correct a typo in the CMS ASN1 module which can result in invalid memory
      access or freeing data twice (CVE-2010-0742)
@@ -860,6 +984,12 @@
      SSL_library_init and not OpenSSL_add_all_algorithms() will fail.
      [Steve Henson]
 
+  *) VMS fixes: 
+     Reduce copying into .apps and .test in makevms.com
+     Don't try to use blank CA certificate in CA.com
+     Allow use of C files from original directories in maketests.com
+     [Steven M. Schweda" <sms@antinode.info>]
+
  Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
 
   *) When rejecting SSL/TLS records due to an incorrect version number, never
@@ -868,8 +998,8 @@
      - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
      the previous behavior could result in a read attempt at NULL when
      receiving specific incorrect SSL/TLS records once record payload
-     protection is active.  (CVE-2010-####)
-     [Bodo Moeller, Adam Langley]
+     protection is active.  (CVE-2010-0740)
+     [Bodo Moeller, Adam Langley <agl@chromium.org>]
 
   *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL 
      could be crashed if the relevant tables were not present (e.g. chrooted).
diff --git a/src/lib/libssl/src/Configure b/src/lib/libssl/src/Configure
index e3b13b9d43..429ab2e5eb 100644
--- a/src/lib/libssl/src/Configure
+++ b/src/lib/libssl/src/Configure
@@ -492,6 +492,8 @@ my %table=(
 # Win64 targets, WIN64I denotes IA-64 and WIN64A - AMD64
 "VC-WIN64I","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ias:win32",
 "VC-WIN64A","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:x86_64cpuid.o:bn_asm.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:auto:win32",
+"debug-VC-WIN64I","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ias:win32",
+"debug-VC-WIN64A","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:x86_64cpuid.o:bn_asm.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:auto:win32",
 # x86 Win32 target defaults to ANSI API, if you want UNICODE, complement
 # 'perl Configure VC-WIN32' with '-DUNICODE -D_UNICODE'
 "VC-WIN32","cl:-W3 -WX -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
@@ -583,6 +585,7 @@ my %table=(
 );
 
 my @MK1MF_Builds=qw(VC-WIN64I VC-WIN64A
+		    debug-VC-WIN64I debug-VC-WIN64A
 		    VC-NT VC-CE VC-WIN32 debug-VC-WIN32
 		    BC-32 
 		    netware-clib netware-clib-bsdsock
@@ -1093,6 +1096,12 @@ my $ar = $ENV{'AR'} || "ar";
 my $arflags = $fields[$idx_arflags];
 my $multilib = $fields[$idx_multilib];
 
+# if $prefix/lib$multilib is not an existing directory, then
+# assume that it's not searched by linker automatically, in
+# which case adding $multilib suffix causes more grief than
+# we're ready to tolerate, so don't...
+$multilib="" if !-d "$prefix/lib$multilib";
+
 $libdir="lib$multilib" if $libdir eq "";
 
 $cflags = "$cflags$exp_cflags";
@@ -1102,6 +1111,12 @@ my ($prelflags,$postlflags)=split('%',$lflags);
 if (defined($postlflags))	{ $lflags=$postlflags;	}
 else				{ $lflags=$prelflags; undef $prelflags;	}
 
+if ($target =~ /^mingw/ && `$cc --target-help 2>&1` !~ m/\-mno\-cygwin/m)
+	{
+	$cflags =~ s/\-mno\-cygwin\s*//;
+	$shared_ldflag =~ s/\-mno\-cygwin\s*//;
+	}
+
 my $no_shared_warn=0;
 my $no_user_cflags=0;
 
diff --git a/src/lib/libssl/src/FAQ b/src/lib/libssl/src/FAQ
index becee6663f..fe54856a62 100644
--- a/src/lib/libssl/src/FAQ
+++ b/src/lib/libssl/src/FAQ
@@ -52,6 +52,9 @@ OpenSSL  -  Frequently Asked Questions
 * Why does the OpenSSL test suite fail in sha512t on x86 CPU?
 * Why does compiler fail to compile sha512.c?
 * Test suite still fails, what to do?
+* I think I've found a bug, what should I do?
+* I'm SURE I've found a bug, how do I report it?
+* I've found a security issue, how do I report it?
 
 [PROG] Questions about programming with OpenSSL
 
@@ -79,7 +82,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.0a was released on Jun 1st, 2010.
+OpenSSL 1.0.0e was released on Sep 6th, 2011.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -131,7 +134,7 @@ OpenSSL.  Information on the OpenSSL mailing lists is available from
 * Where can I get a compiled version of OpenSSL?
 
 You can finder pointers to binary distributions in
-http://www.openssl.org/related/binaries.html .
+<URL: http://www.openssl.org/related/binaries.html> .
 
 Some applications that use OpenSSL are distributed in binary form.
 When using such an application, you don't need to install OpenSSL
@@ -463,7 +466,7 @@ administrators.
 Other projects do have other policies so you can for example extract the CA
 bundle used by Mozilla and/or modssl as described in this article:
 
-  http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html
+  <URL: http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html>
 
 
 [BUILD] =======================================================================
@@ -505,7 +508,7 @@ when you run the test suite (using "make test").  The message returned is
 "bc: 1 not implemented".
 
 The best way to deal with this is to find another implementation of bc
-and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
+and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>
 for download instructions) can be safely used, for example.
 
 
@@ -516,7 +519,7 @@ that the OpenSSL bntest throws at it.  This gets triggered when you run the
 test suite (using "make test").  The message returned is "bc: stack empty".
 
 The best way to deal with this is to find another implementation of bc
-and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
+and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>
 for download instructions) can be safely used, for example.
 
 
@@ -709,6 +712,46 @@ never make sense, and tend to emerge when you least expect them. In order
 to identify one, drop optimization level, e.g. by editing CFLAG line in
 top-level Makefile, recompile and re-run the test.
 
+* I think I've found a bug, what should I do?
+
+If you are a new user then it is quite likely you haven't found a bug and
+something is happening you aren't familiar with. Check this FAQ, the associated
+documentation and the mailing lists for similar queries. If you are still
+unsure whether it is a bug or not submit a query to the openssl-users mailing
+list.
+
+
+* I'm SURE I've found a bug, how do I report it?
+
+Bug reports with no security implications should be sent to the request
+tracker. This can be done by mailing the report to <rt@openssl.org> (or its
+alias <openssl-bugs@openssl.org>), please note that messages sent to the
+request tracker also appear in the public openssl-dev mailing list.
+
+The report should be in plain text. Any patches should be sent as
+plain text attachments because some mailers corrupt patches sent inline.
+If your issue affects multiple versions of OpenSSL check any patches apply
+cleanly and, if possible include patches to each affected version.
+
+The report should be given a meaningful subject line briefly summarising the
+issue. Just "bug in OpenSSL" or "bug in OpenSSL 0.9.8n" is not very helpful.
+
+By sending reports to the request tracker the bug can then be given a priority
+and assigned to the appropriate maintainer. The history of discussions can be
+accessed and if the issue has been addressed or a reason why not. If patches
+are only sent to openssl-dev they can be mislaid if a team member has to
+wade through months of old messages to review the discussion.
+
+See also <URL: http://www.openssl.org/support/rt.html>
+
+
+* I've found a security issue, how do I report it?
+
+If you think your bug has security implications then please send it to
+openssl-security@openssl.org if you don't get a prompt reply at least 
+acknowledging receipt then resend or mail it directly to one of the
+more active team members (e.g. Steve).
+
 [PROG] ========================================================================
 
 * Is OpenSSL thread-safe?
diff --git a/src/lib/libssl/src/INSTALL.VMS b/src/lib/libssl/src/INSTALL.VMS
index 7658f64e1d..e5d43a57ab 100644
--- a/src/lib/libssl/src/INSTALL.VMS
+++ b/src/lib/libssl/src/INSTALL.VMS
@@ -71,7 +71,7 @@ the top to understand how to use them.  However, if you want to
 compile all you can get, the simplest is to use MAKEVMS.COM in the top
 directory.  The syntax is the following:
 
-  @MAKEVMS <option> <rsaref-p> <debug-p> [<compiler>]
+  @MAKEVMS <option> <bits> <debug-p> [<compiler>]
 
 <option> must be one of the following:
 
@@ -87,24 +87,11 @@ directory.  The syntax is the following:
       TEST      Just build the "[.xxx.EXE.TEST]" test programs for OpenSSL.
       APPS      Just build the "[.xxx.EXE.APPS]" application programs for OpenSSL.
 
-<rsaref-p> must be one of the following:
+<bits> must be one of the following:
 
-      RSAREF    compile using the RSAREF Library
-      NORSAREF  compile without using RSAREF
-
-Note 0: The RSAREF library IS NO LONGER NEEDED.  The RSA patent
-        expires September 20, 2000, and RSA Security chose to make
-        the algorithm public domain two weeks before that.
-
-Note 1: If you still want to use RSAREF, the library is NOT INCLUDED
-        and you have to download it.  RSA Security doesn't carry it
-        any more, but there are a number of places where you can find
-        it.  You have to get the ".tar-Z" file as the ".zip" file
-        doesn't have the directory structure stored.  You have to
-        extract the file into the [.RSAREF] directory as that is where
-        the scripts will look for the files.
-
-Note 2: I have never done this, so I've no idea if it works or not.
+      ""        compile using default pointer size
+      32        compile using 32 bit pointer size
+      64        compile using 64 bit pointer size
 
 <debug-p> must be one of the following:
 
@@ -117,12 +104,13 @@ Note 2: I have never done this, so I've no idea if it works or not.
       GNUC      For GNU C.
 
 
-You will find the crypto library in [.xxx.EXE.CRYPTO], called LIBCRYPTO.OLB,
-where xxx is VAX or AXP.  You will find the SSL library in [.xxx.EXE.SSL],
-named LIBSSL.OLB, and you will find a bunch of useful programs in
-[.xxx.EXE.APPS].  However, these shouldn't be used right off unless it's
-just to test them.  For production use, make sure you install first, see
-Installation below.
+You will find the crypto library in [.xxx.EXE.CRYPTO] (where xxx is VAX,
+ALPHA or IA64), called SSL_LIBCRYPTO32.OLB or SSL_LIBCRYPTO.OLB depending
+on how it was built.  You will find the SSL library in [.xxx.EXE.SSL],
+named SSL_LIBSSL32.OLB or SSL_LIBSSL.OLB, and you will find a bunch of
+useful programs in [.xxx.EXE.APPS].  However, these shouldn't be used
+right off unless it's just to test them.  For production use, make sure
+you install first, see Installation below.
 
 Note 1: Some programs in this package require a TCP/IP library.
 
@@ -170,12 +158,14 @@ Installation:
 
 Installation is easy, just do the following:
 
-  @INSTALL <root>
+  @INSTALL <root> <bits>
 
 <root> is the directory in which everything will be installed,
 subdirectories, libraries, header files, programs and startup command
 procedures.
 
+<bits> works the same way as for MAKEVMS.COM
+
 N.B.: INSTALL.COM builds a new directory structure, different from
 the directory tree where you have now build OpenSSL.
 
@@ -196,6 +186,10 @@ following command procedures:
         sets up the symbols to the applications.  Should be called
         from for example SYS$MANAGER:SYLOGIN.COM 
 
+  OPENSSL_UNDO.COM
+
+	deassigns the logical names created with OPENSSL_STARTUP.COM.
+
 The logical names that are set up are the following:
 
   SSLROOT       a dotted concealed logical name pointing at the
@@ -203,7 +197,6 @@ The logical names that are set up are the following:
 
   SSLCERTS      Initially an empty directory, this is the default
 		location for certificate files.
-  SSLMISC	Various scripts.
   SSLPRIVATE	Initially an empty directory, this is the default
 		location for private key files.
 
@@ -211,8 +204,9 @@ The logical names that are set up are the following:
 		programs.
   SSLINCLUDE    Contains the header files needed if you want to
 		compile programs with libcrypto or libssl.
-  SSLLIB        Contains the OpenSSL library files (LIBCRYPTO.OLB
-		and LIBSSL.OLB) themselves.
+  SSLLIB        Contains the OpenSSL library files themselves:
+  		- SSL_LIBCRYPTO32.OLB and SSL_LIBSSL32.OLB or
+		- SSL_LIBCRYPTO.OLB and SSL_LIBSSL.OLB
 
   OPENSSL	Same as SSLINCLUDE.  This is because the standard
 		way to include OpenSSL header files from version
@@ -296,4 +290,4 @@ have any ideas.
 
 --
 Richard Levitte <richard@levitte.org>
-2000-02-27
+2000-02-27, 2011-03-18
diff --git a/src/lib/libssl/src/INSTALL.W32 b/src/lib/libssl/src/INSTALL.W32
index 77441f1ef3..d23c4baf62 100644
--- a/src/lib/libssl/src/INSTALL.W32
+++ b/src/lib/libssl/src/INSTALL.W32
@@ -185,6 +185,15 @@
    required. Run the installers and do whatever magic they say it takes
    to start MSYS bash shell with GNU tools on its PATH.
 
+   N.B. Since source tar-ball can contain symbolic links, it's essential
+   that you use accompanying MSYS tar to unpack the source. It will
+   either handle them in one way or another or fail to extract them,
+   which does the trick too. Latter means that you may safely ignore all
+   "cannot create symlink" messages, as they will be "re-created" at
+   configure stage by copying corresponding files. Alternative programs
+   were observed to create empty files instead, which results in build
+   failure.
+
  * Compile OpenSSL:
 
    $ ./config
@@ -297,7 +306,18 @@
  desktop, which is not available to service processes. The toolkit is
  designed to detect in which context it's currently executed, GUI,
  console app or service, and act accordingly, namely whether or not to
- actually make GUI calls.
+ actually make GUI calls. Additionally those who wish to
+ /DELAYLOAD:GDI32.DLL and /DELAYLOAD:USER32.DLL and actually keep them
+ off service process should consider implementing and exporting from
+ .exe image in question own _OPENSSL_isservice not relying on USER32.DLL.
+ E.g., on Windows Vista and later you could:
+
+	__declspec(dllexport) __cdecl BOOL _OPENSSL_isservice(void)
+	{   DWORD sess;
+	    if (ProcessIdToSessionId(GetCurrentProcessId(),&sess))
+	        return sess==0;
+	    return FALSE;
+	}
 
  If you link with OpenSSL .DLLs, then you're expected to include into
  your application code small "shim" snippet, which provides glue between
diff --git a/src/lib/libssl/src/LICENSE b/src/lib/libssl/src/LICENSE
index a2c4adcbe6..e47d101f10 100644
--- a/src/lib/libssl/src/LICENSE
+++ b/src/lib/libssl/src/LICENSE
@@ -12,7 +12,7 @@
   ---------------
 
 /* ====================================================================
- * Copyright (c) 1998-2008 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/src/lib/libssl/src/Makefile b/src/lib/libssl/src/Makefile
index 47bb99c40b..445e15d671 100644
--- a/src/lib/libssl/src/Makefile
+++ b/src/lib/libssl/src/Makefile
@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.0a
+VERSION=1.0.0e
 MAJOR=1
 MINOR=0.0
 SHLIB_VERSION_NUMBER=1.0.0
diff --git a/src/lib/libssl/src/NEWS b/src/lib/libssl/src/NEWS
index 3a787ea06c..672810dcc7 100644
--- a/src/lib/libssl/src/NEWS
+++ b/src/lib/libssl/src/NEWS
@@ -5,12 +5,38 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e:
+
+      o Fix for CRL vulnerability issue CVE-2011-3207
+      o Fix for ECDH crashes CVE-2011-3210
+      o Protection against EC timing attacks.
+      o Support ECDH ciphersuites for certificates using SHA2 algorithms.
+      o Various DTLS fixes.
+
+  Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d:
+
+      o Fix for security issue CVE-2011-0014
+
+  Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c:
+
+      o Fix for security issue CVE-2010-4180
+      o Fix for CVE-2010-4252
+      o Fix mishandling of absent EC point format extension.
+      o Fix various platform compilation issues.
+      o Corrected fix for security issue CVE-2010-3864.
+
+  Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b:
+
+      o Fix for security issue CVE-2010-3864.
+      o Fix for CVE-2010-2939
+      o Fix WIN32 build system for GOST ENGINE.
+
   Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a:
 
       o Fix for security issue CVE-2010-1633.
       o GOST MAC and CFB fixes.
 
-  Major changes between OpenSSL 0.9.8n and OpenSSL 1.0:
+  Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0:
 
       o RFC3280 path validation: sufficient to process PKITS tests.
       o Integrated support for PVK files and keyblobs.
@@ -33,6 +59,19 @@
       o Opaque PRF Input TLS extension support.
       o Updated time routines to avoid OS limitations.
 
+  Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r:
+
+      o Fix for security issue CVE-2011-0014
+
+  Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q:
+
+      o Fix for security issue CVE-2010-4180
+      o Fix for CVE-2010-4252
+
+  Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p:
+
+      o Fix for security issue CVE-2010-3864.
+
   Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o:
 
       o Fix for security issue CVE-2010-0742.
diff --git a/src/lib/libssl/src/PROBLEMS b/src/lib/libssl/src/PROBLEMS
index ed3c174535..d247470f06 100644
--- a/src/lib/libssl/src/PROBLEMS
+++ b/src/lib/libssl/src/PROBLEMS
@@ -36,7 +36,9 @@ may differ on your machine.
 
 
 As long as Apple doesn't fix the problem with ld, this problem building
-OpenSSL will remain as is.
+OpenSSL will remain as is. Well, the problem was addressed in 0.9.8f by
+passing -Wl,-search_paths_first, but it's unknown if the flag was
+supported from the initial MacOS X release.
 
 
 * Parallell make leads to errors
diff --git a/src/lib/libssl/src/README b/src/lib/libssl/src/README
index c1d0a5fd52..898437989a 100644
--- a/src/lib/libssl/src/README
+++ b/src/lib/libssl/src/README
@@ -1,7 +1,7 @@
 
- OpenSSL 1.0.0a 1 Jun 2010
+ OpenSSL 1.0.0e 6 Sep 2011
 
- Copyright (c) 1998-2010 The OpenSSL Project
+ Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
  All rights reserved.
 
diff --git a/src/lib/libssl/src/VMS/install-vms.com b/src/lib/libssl/src/VMS/install-vms.com
new file mode 100755
index 0000000000..7da8b2153b
--- /dev/null
+++ b/src/lib/libssl/src/VMS/install-vms.com
@@ -0,0 +1,67 @@
+$! install-vms.com -- Installs the files in a given directory tree
+$!
+$! Author: Richard Levitte <richard@levitte.org>
+$! Time of creation: 23-MAY-1998 19:22
+$!
+$! P1	root of the directory tree
+$!
+$!
+$! Announce/identify.
+$!
+$ proc = f$environment( "procedure")
+$ write sys$output "@@@ "+ -
+   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
+$!
+$ on error then goto tidy
+$ on control_c then goto tidy
+$!
+$ if p1 .eqs. ""
+$ then
+$   write sys$output "First argument missing."
+$   write sys$output -
+     "Should be the directory where you want things installed."
+$   exit
+$ endif
+$
+$ if (f$getsyi( "cpu") .lt. 128)
+$ then
+$   arch = "VAX"
+$ else
+$   arch = f$edit( f$getsyi( "arch_name"), "upcase")
+$   if (arch .eqs. "") then arch = "UNK"
+$ endif
+$
+$ root = f$parse( P1, "[]A.;0", , , "SYNTAX_ONLY, NO_CONCEAL")- "A.;0"
+$ root_dev = f$parse( root, , , "device", "syntax_only")
+$ root_dir = f$parse( root, , , "directory", "syntax_only") - -
+   "[000000." - "][" - "[" - "]"
+$ root = root_dev + "[" + root_dir
+$
+$ define /nolog wrk_sslroot 'root'.] /translation_attributes = concealed
+$ define /nolog wrk_sslinclude wrk_sslroot:[include]
+$
+$ if f$parse( "wrk_sslroot:[000000]") .eqs. "" then -
+   create /directory /log wrk_sslroot:[000000]
+$ if f$parse( "wrk_sslinclude:") .eqs. "" then -
+   create /directory /log wrk_sslinclude:
+$ if f$parse( "wrk_sslroot:[vms]") .eqs. "" then -
+   create /directory /log wrk_sslroot:[vms]
+$!
+$ copy /log /protection = world:re openssl_startup.com wrk_sslroot:[vms]
+$ copy /log /protection = world:re openssl_undo.com wrk_sslroot:[vms]
+$ copy /log /protection = world:re openssl_utils.com wrk_sslroot:[vms]
+$!
+$ tidy:
+$!
+$ call deass wrk_sslroot
+$ call deass wrk_sslinclude
+$!
+$ exit
+$!
+$ deass: subroutine
+$ if (f$trnlnm( p1, "LNM$PROCESS") .nes. "")
+$ then
+$   deassign /process 'p1'
+$ endif
+$ endsubroutine
+$!
diff --git a/src/lib/libssl/src/VMS/mkshared.com b/src/lib/libssl/src/VMS/mkshared.com
index c8acd2adeb..794e1de62a 100644
--- a/src/lib/libssl/src/VMS/mkshared.com
+++ b/src/lib/libssl/src/VMS/mkshared.com
@@ -1,85 +1,162 @@
-$! MKSHARED.COM -- script to created shareable images on VMS
+$! MKSHARED.COM -- Create shareable images.
 $!
-$! No command line parameters.  This should be run at the start of the source
-$! tree (the same directory where one finds INSTALL.VMS).
+$! P1: "64" for 64-bit pointers.
 $!
-$! Input:	[.UTIL]LIBEAY.NUM,[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB
-$!		[.UTIL]SSLEAY.NUM,[.xxx.EXE.SSL]LIBSSL.OLB
-$! Output:	[.xxx.EXE.CRYPTO]LIBCRYPTO.OPT,.MAP,.EXE
-$!		[.xxx.EXE.SSL]LIBSSL.OPT,.MAP,.EXE
+$! P2: Zlib object library path (optional).
+$!
+$! Input:	[.UTIL]LIBEAY.NUM,[.xxx.EXE.CRYPTO]SSL_LIBCRYPTO[32].OLB
+$!		[.UTIL]SSLEAY.NUM,[.xxx.EXE.SSL]SSL_LIBSSL[32].OLB
+$! Output:	[.xxx.EXE.CRYPTO]SSL_LIBCRYPTO_SHR[32].OPT,.MAP,.EXE
+$!		[.xxx.EXE.SSL]SSL_LIBSSL_SRH[32].OPT,.MAP,.EXE
 $!
 $! So far, tests have only been made on VMS for Alpha.  VAX will come in time.
 $! ===========================================================================
-$
+$!
+$! Announce/identify.
+$!
+$ proc = f$environment( "procedure")
+$ write sys$output "@@@ "+ -
+   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
+$!
+$! Save the original default device:[directory].
+$!
+$ def_orig = f$environment( "default")
+$ on error then goto tidy
+$ on control_c then goto tidy
+$!
+$! SET DEFAULT to the main kit directory.
+$!
+$ proc = f$environment("procedure")
+$ proc = f$parse( "A.;", proc)- "A.;"
+$ set default 'proc'
+$ set default [-]
+$!
 $! ----- Prepare info for processing: version number and file info
 $ gosub read_version_info
 $ if libver .eqs. ""
 $ then
 $   write sys$error "ERROR: Couldn't find any library version info..."
-$   exit
+$   go to tidy:
 $ endif
 $
-$ if (f$getsyi("cpu").lt.128)
+$ if (f$getsyi("cpu") .lt. 128)
 $ then
-$     arch := VAX
+$   arch_vax = 1
+$   arch = "VAX"
 $ else
-$     arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
-$     if (arch .eqs. "") then arch = "UNK"
+$   arch_vax = 0
+$   arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
+$   if (arch .eqs. "") then arch = "UNK"
 $ endif
-$
-$ if arch .nes. "VAX"
+$!
+$ archd = arch
+$ lib32 = "32"
+$ shr = "SHR32"
+$!
+$ if (p1 .nes. "")
 $ then
-$   arch_vax = 0
+$   if (p1 .eqs. "64")
+$   then
+$     archd = arch+ "_64"
+$     lib32 = ""
+$     shr = "SHR"
+$   else
+$     if (p1 .nes. "32")
+$     then
+$       write sys$output "Second argument invalid."
+$       write sys$output "It should be "32", "64", or nothing."
+$       exit
+$     endif
+$   endif
+$ endif
+$!
+$ ZLIB = p2
+$ zlib_lib = ""
+$ if (ZLIB .nes. "")
+$ then
+$   file2 = f$parse( ZLIB, "libz.olb", , , "syntax_only")
+$   if (f$search( file2) .eqs. "")
+$   then
+$     write sys$output ""
+$     write sys$output "The Option ", ZLIB, " Is Invalid."
+$     write sys$output "    Can't find library: ''file2'"
+$     write sys$output ""
+$     goto tidy
+$   endif
+$   zlib_lib = ", ''file2' /library"
+$ endif
+$!
+$ if (arch_vax)
+$ then
+$   libtit = "CRYPTO_TRANSFER_VECTOR"
 $   libid  = "Crypto"
 $   libnum = "[.UTIL]LIBEAY.NUM"
-$   libdir = "[.''ARCH'.EXE.CRYPTO]"
-$   libolb = "''libdir'LIBCRYPTO.OLB"
-$   libopt = "''libdir'LIBCRYPTO.OPT"
-$   libmap = "''libdir'LIBCRYPTO.MAP"
-$   libgoal= "''libdir'LIBCRYPTO.EXE"
+$   libdir = "[.''ARCHD'.EXE.CRYPTO]"
+$   libmar = "''libdir'SSL_LIBCRYPTO_''shr'.MAR"
+$   libolb = "''libdir'SSL_LIBCRYPTO''lib32'.OLB"
+$   libopt = "''libdir'SSL_LIBCRYPTO_''shr'.OPT"
+$   libobj = "''libdir'SSL_LIBCRYPTO_''shr'.OBJ"
+$   libmap = "''libdir'SSL_LIBCRYPTO_''shr'.MAP"
+$   libgoal= "''libdir'SSL_LIBCRYPTO_''shr'.EXE"
 $   libref = ""
-$   gosub create_nonvax_shr
+$   libvec = "LIBCRYPTO"
+$   if f$search( libolb) .nes. "" then gosub create_vax_shr
+$   libtit = "SSL_TRANSFER_VECTOR"
 $   libid  = "SSL"
 $   libnum = "[.UTIL]SSLEAY.NUM"
-$   libdir = "[.''ARCH'.EXE.SSL]"
-$   libolb = "''libdir'LIBSSL.OLB"
-$   libopt = "''libdir'LIBSSL.OPT"
-$   libmap = "''libdir'LIBSSL.MAP"
-$   libgoal= "''libdir'LIBSSL.EXE"
-$   libref = "[.''ARCH'.EXE.CRYPTO]LIBCRYPTO.EXE"
-$   gosub create_nonvax_shr
+$   libdir = "[.''ARCHD'.EXE.SSL]"
+$   libmar = "''libdir'SSL_LIBSSL_''shr'.MAR"
+$   libolb = "''libdir'SSL_LIBSSL''lib32'.OLB"
+$   libopt = "''libdir'SSL_LIBSSL_''shr'.OPT"
+$   libobj = "''libdir'SSL_LIBSSL_''shr'.OBJ"
+$   libmap = "''libdir'SSL_LIBSSL_''shr'.MAP"
+$   libgoal= "''libdir'SSL_LIBSSL_''shr'.EXE"
+$   libref = "[.''ARCHD'.EXE.CRYPTO]SSL_LIBCRYPTO_''shr'.EXE"
+$   libvec = "LIBSSL"
+$   if f$search( libolb) .nes. "" then gosub create_vax_shr
 $ else
-$   arch_vax = 1
-$   libtit = "CRYPTO_TRANSFER_VECTOR"
 $   libid  = "Crypto"
 $   libnum = "[.UTIL]LIBEAY.NUM"
-$   libdir = "[.''ARCH'.EXE.CRYPTO]"
-$   libmar = "''libdir'LIBCRYPTO.MAR"
-$   libolb = "''libdir'LIBCRYPTO.OLB"
-$   libopt = "''libdir'LIBCRYPTO.OPT"
-$   libobj = "''libdir'LIBCRYPTO.OBJ"
-$   libmap = "''libdir'LIBCRYPTO.MAP"
-$   libgoal= "''libdir'LIBCRYPTO.EXE"
+$   libdir = "[.''ARCHD'.EXE.CRYPTO]"
+$   libolb = "''libdir'SSL_LIBCRYPTO''lib32'.OLB"
+$   libopt = "''libdir'SSL_LIBCRYPTO_''shr'.OPT"
+$   libmap = "''libdir'SSL_LIBCRYPTO_''shr'.MAP"
+$   libgoal= "''libdir'SSL_LIBCRYPTO_''shr'.EXE"
 $   libref = ""
-$   libvec = "LIBCRYPTO"
-$   gosub create_vax_shr
-$   libtit = "SSL_TRANSFER_VECTOR"
+$   if f$search( libolb) .nes. "" then gosub create_nonvax_shr
 $   libid  = "SSL"
 $   libnum = "[.UTIL]SSLEAY.NUM"
-$   libdir = "[.''ARCH'.EXE.SSL]"
-$   libmar = "''libdir'LIBSSL.MAR"
-$   libolb = "''libdir'LIBSSL.OLB"
-$   libopt = "''libdir'LIBSSL.OPT"
-$   libobj = "''libdir'LIBSSL.OBJ"
-$   libmap = "''libdir'LIBSSL.MAP"
-$   libgoal= "''libdir'LIBSSL.EXE"
-$   libref = "[.''ARCH'.EXE.CRYPTO]LIBCRYPTO.EXE"
-$   libvec = "LIBSSL"
-$   gosub create_vax_shr
+$   libdir = "[.''ARCHD'.EXE.SSL]"
+$   libolb = "''libdir'SSL_LIBSSL''lib32'.OLB"
+$   libopt = "''libdir'SSL_LIBSSL_''shr'.OPT"
+$   libmap = "''libdir'SSL_LIBSSL_''shr'.MAP"
+$   libgoal= "''libdir'SSL_LIBSSL_''shr'.EXE"
+$   libref = "[.''ARCHD'.EXE.CRYPTO]SSL_LIBCRYPTO_''shr'.EXE"
+$   if f$search( libolb) .nes. "" then gosub create_nonvax_shr
 $ endif
+$!
+$ tidy:
+$!
+$! Close any open files.
+$!
+$ if (f$trnlnm( "libnum", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
+   close libnum
+$!
+$ if (f$trnlnm( "mar", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
+   close mar
+$!
+$ if (f$trnlnm( "opt", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
+   close opt
+$!
+$ if (f$trnlnm( "vf", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
+   close vf
+$!
+$! Restore the original default device:[directory].
+$!
+$ set default 'def_orig'
 $ exit
 $
-$! ----- Soubroutines to build the shareable libraries
+$! ----- Subroutines to build the shareable libraries
 $! For each supported architecture, there's a main shareable library
 $! creator, which is called from the main code above.
 $! The creator will define a number of variables to tell the next levels of
@@ -111,9 +188,9 @@ $! ----- Subroutines for non-VAX
 $! -----
 $! The creator routine
 $ create_nonvax_shr:
-$   open/write opt 'libopt'
+$   open /write opt 'libopt'
 $   write opt "identification=""",libid," ",libverstr,""""
-$   write opt libolb,"/lib"
+$   write opt libolb, " /library"
 $   if libref .nes. "" then write opt libref,"/SHARE"
 $   write opt "SYMBOL_VECTOR=(-"
 $   libfirstentry := true
@@ -124,7 +201,8 @@ $   gosub read_func_num
 $   write opt ")"
 $   write opt "GSMATCH=",libvmatch,",",libver
 $   close opt
-$   link/map='libmap'/full/share='libgoal' 'libopt'/option
+$   link /map = 'libmap' /full /share = 'libgoal' 'libopt' /options -
+     'zlib_lib'
 $   return
 $
 $! The record writer routine
@@ -158,7 +236,7 @@ $! ----- Subroutines for VAX
 $! -----
 $! The creator routine
 $ create_vax_shr:
-$   open/write mar 'libmar'
+$   open /write mar 'libmar'
 $   type sys$input:/out=mar:
 ;
 ; Transfer vector for VAX shareable image
@@ -193,10 +271,10 @@ $!   libwriter := write_vax_vtransfer_entry
 $!   gosub read_func_num
 $   write mar "	.END"
 $   close mar
-$   open/write opt 'libopt'
+$   open /write opt 'libopt'
 $   write opt "identification=""",libid," ",libverstr,""""
 $   write opt libobj
-$   write opt libolb,"/lib"
+$   write opt libolb, " /library"
 $   if libref .nes. "" then write opt libref,"/SHARE"
 $   type sys$input:/out=opt:
 !
@@ -215,7 +293,8 @@ $   libwriter := write_vax_psect_attr
 $   gosub read_func_num
 $   close opt
 $   macro/obj='libobj' 'libmar'
-$   link/map='libmap'/full/share='libgoal' 'libopt'/option
+$   link /map = 'libmap' /full /share = 'libgoal' 'libopt' /options -
+     'zlib_lib'
 $   return
 $
 $! The record writer routine for VAX functions
@@ -237,9 +316,9 @@ $   return
 $
 $! ----- Common subroutines
 $! -----
-$! The .num file reader.  This one has great responsability.
+$! The .num file reader.  This one has great responsibility.
 $ read_func_num:
-$   open libnum 'libnum'
+$   open /read libnum 'libnum'
 $   goto read_nums
 $
 $ read_nums:
@@ -247,27 +326,30 @@ $   libentrynum=0
 $   liblastentry:=false
 $   entrycount=0
 $   loop:
-$     read/end=loop_end/err=loop_end libnum line
-$     entrynum=f$int(f$element(1," ",f$edit(line,"COMPRESS,TRIM")))
-$     entryinfo=f$element(2," ",f$edit(line,"COMPRESS,TRIM"))
-$     curentry=f$element(0," ",f$edit(line,"COMPRESS,TRIM"))
-$     info_exist=f$element(0,":",entryinfo)
-$     info_platforms=","+f$element(1,":",entryinfo)+","
-$     info_kind=f$element(2,":",entryinfo)
-$     info_algorithms=","+f$element(3,":",entryinfo)+","
+$     read /end=loop_end /err=loop_end libnum line
+$     lin = f$edit( line, "COMPRESS,TRIM")
+$!    Skip a "#" comment line.
+$     if (f$extract( 0, 1, lin) .eqs. "#") then goto loop
+$     entrynum = f$int(f$element( 1, " ", lin))
+$     entryinfo = f$element( 2, " ", lin)
+$     curentry = f$element( 0, " ", lin)
+$     info_exist = f$element( 0, ":", entryinfo)
+$     info_platforms = ","+ f$element(1, ":", entryinfo)+ ","
+$     info_kind = f$element( 2, ":", entryinfo)
+$     info_algorithms = ","+ f$element( 3, ":", entryinfo)+ ","
 $     if info_exist .eqs. "NOEXIST" then goto loop
 $     truesum = 0
 $     falsesum = 0
 $     negatives = 1
 $     plat_i = 0
 $     loop1:
-$       plat_entry = f$element(plat_i,",",info_platforms)
+$       plat_entry = f$element( plat_i, ",", info_platforms)
 $       plat_i = plat_i + 1
 $       if plat_entry .eqs. "" then goto loop1
 $       if plat_entry .nes. ","
 $       then
 $         if f$extract(0,1,plat_entry) .nes. "!" then negatives = 0
-$         if f$getsyi("CPU") .lt. 128
+$         if (arch_vax)
 $         then
 $           if plat_entry .eqs. "EXPORT_VAR_AS_FUNCTION" then -
 $             truesum = truesum + 1
@@ -276,6 +358,7 @@ $             falsesum = falsesum + 1
 $         endif
 $!
 $         if ((plat_entry .eqs. "VMS") .or. -
+            ((plat_entry .eqs. "ZLIB") .and. (ZLIB .nes. "")) .or. -
             (arch_vax .and. (plat_entry .eqs. "VMSVAX"))) then -
             truesum = truesum + 1
 $!
@@ -345,7 +428,7 @@ $
 $! The version number reader
 $ read_version_info:
 $   libver = ""
-$   open/read vf [.CRYPTO]OPENSSLV.H
+$   open /read vf [.CRYPTO]OPENSSLV.H
 $   loop_rvi:
 $     read/err=endloop_rvi/end=endloop_rvi vf rvi_line
 $     if rvi_line - "SHLIB_VERSION_NUMBER """ .eqs. rvi_line then -
diff --git a/src/lib/libssl/src/VMS/openssl_startup.com b/src/lib/libssl/src/VMS/openssl_startup.com
new file mode 100755
index 0000000000..04bbbde886
--- /dev/null
+++ b/src/lib/libssl/src/VMS/openssl_startup.com
@@ -0,0 +1,108 @@
+$!
+$! Startup file for OpenSSL 1.x.
+$!
+$! 2011-03-05 SMS.
+$!
+$! This procedure must reside in the OpenSSL installation directory.
+$! It will fail if it is copied to a different location.
+$!
+$! P1  qualifier(s) for DEFINE.  For example, "/SYSTEM" to get the
+$!     logical names defined in the system logical name table.
+$!
+$! P2  "64", to use executables which were built with 64-bit pointers.
+$!
+$! Good (default) and bad status values.
+$!
+$ status =    %x00010001 ! RMS$_NORMAL, normal successful completion.
+$ rms_e_fnf = %x00018292 ! RMS$_FNF, file not found.
+$!
+$! Prepare for problems.
+$!
+$ orig_dev_dir = f$environment( "DEFAULT")
+$ on control_y then goto clean_up
+$ on error then goto clean_up
+$!
+$! Determine hardware architecture.
+$!
+$ if (f$getsyi( "cpu") .lt. 128)
+$ then
+$   arch_name = "VAX"
+$ else
+$   arch_name = f$edit( f$getsyi( "arch_name"), "upcase")
+$   if (arch_name .eqs. "") then arch_name = "UNK"
+$ endif
+$!
+$ if (p2 .eqs. "64")
+$ then
+$   arch_name_exe = arch_name+ "_64"
+$ else
+$   arch_name_exe = arch_name
+$ endif
+$!
+$! Derive the OpenSSL installation device:[directory] from the location
+$! of this command procedure.
+$!
+$ proc = f$environment( "procedure")
+$ proc_dev_dir = f$parse( "A.;", proc, , , "no_conceal") - "A.;"
+$ proc_dev = f$parse( proc_dev_dir, , , "device", "syntax_only")
+$ proc_dir = f$parse( proc_dev_dir, , , "directory", "syntax_only") - -
+   ".][000000"- "[000000."- "]["- "["- "]"
+$ proc_dev_dir = proc_dev+ "["+ proc_dir+ "]"
+$ set default 'proc_dev_dir'
+$ set default [-]
+$ ossl_dev_dir = f$environment( "default")
+$!
+$! Check existence of expected directories (to see if this procedure has
+$! been moved away from its proper place).
+$!
+$ if ((f$search( "certs.dir;1") .eqs. "") .or. -
+   (f$search( "include.dir;1") .eqs. "") .or. -
+   (f$search( "private.dir;1") .eqs. "") .or. -
+   (f$search( "vms.dir;1") .eqs. ""))
+$ then
+$    write sys$output -
+      "   Can't find expected common OpenSSL directories in:"
+$    write sys$output "   ''ossl_dev_dir'"
+$    status = rms_e_fnf
+$    goto clean_up
+$ endif
+$!
+$ if ((f$search( "''arch_name_exe'_exe.dir;1") .eqs. "") .or. -
+   (f$search( "''arch_name'_lib.dir;1") .eqs. ""))
+$ then
+$    write sys$output -
+      "   Can't find expected architecture-specific OpenSSL directories in:"
+$    write sys$output "   ''ossl_dev_dir'"
+$    status = rms_e_fnf
+$    goto clean_up
+$ endif
+$!
+$! All seems well (enough).  Define the OpenSSL logical names.
+$!
+$ ossl_root = ossl_dev_dir- "]"+ ".]"
+$ define /translation_attributes = concealed /nolog'p1 SSLROOT 'ossl_root'
+$ define /nolog 'p1' SSLCERTS     sslroot:[certs]
+$ define /nolog 'p1' SSLINCLUDE   sslroot:[include]
+$ define /nolog 'p1' SSLPRIVATE   sslroot:[private]
+$ define /nolog 'p1' SSLEXE       sslroot:['arch_name_exe'_exe]
+$ define /nolog 'p1' SSLLIB       sslroot:['arch_name'_lib]
+$!
+$! Defining OPENSSL lets a C program use "#include <openssl/{foo}.h>":
+$ define /nolog 'p1' OPENSSL      SSLINCLUDE:
+$!
+$! Run a site-specific procedure, if it exists.
+$!
+$ if f$search( "sslroot:[vms]openssl_systartup.com") .nes."" then -
+   @ sslroot:[vms]openssl_systartup.com
+$!
+$! Restore the original default dev:[dir] (if known).
+$!
+$ clean_up:
+$!
+$ if (f$type( orig_dev_dir) .nes. "")
+$ then
+$    set default 'orig_dev_dir'
+$ endif
+$!
+$ EXIT 'status'
+$!
diff --git a/src/lib/libssl/src/VMS/openssl_undo.com b/src/lib/libssl/src/VMS/openssl_undo.com
new file mode 100755
index 0000000000..d1623a3160
--- /dev/null
+++ b/src/lib/libssl/src/VMS/openssl_undo.com
@@ -0,0 +1,20 @@
+$!
+$! Deassign OpenSSL logical names.
+$!
+$ call deass "OPENSSL" "''p1'"
+$ call deass "SSLCERTS" "''p1'"
+$ call deass "SSLEXE" "''p1'"
+$ call deass "SSLINCLUDE" "''p1'"
+$ call deass "SSLLIB" "''p1'"
+$ call deass "SSLPRIVATE" "''p1'"
+$ call deass "SSLROOT" "''p1'"
+$!
+$ exit
+$!
+$deass: subroutine
+$ if (f$trnlnm( p1) .nes. "")
+$ then
+$    deassign 'p2' 'p1'
+$ endif
+$ endsubroutine
+$!
diff --git a/src/lib/libssl/src/apps/CA.com b/src/lib/libssl/src/apps/CA.com
index 69b7bb3fd8..2c0d465274 100644
--- a/src/lib/libssl/src/apps/CA.com
+++ b/src/lib/libssl/src/apps/CA.com
@@ -37,14 +37,25 @@ $ VERIFY = openssl + " verify"
 $ X509   = openssl + " x509"
 $ PKCS12 = openssl + " pkcs12"
 $ echo   = "write sys$Output"
+$ RET = 1
+$!
+$! 2010-12-20 SMS.
+$! Use a concealed logical name to reduce command line lengths, to
+$! avoid DCL errors on VAX:
+$!     %DCL-W-TKNOVF, command element is too long - shorten
+$! (Path segments like "openssl-1_0_1-stable-SNAP-20101217" accumulate
+$! quickly.)
+$!
+$ CATOP = F$PARSE( F$ENVIRONMENT( "DEFAULT"), "[]")- "].;"+ ".demoCA.]"
+$ define /translation_attributes = concealed CATOP 'CATOP'
 $!
-$ s = F$PARSE(F$ENVIRONMENT("DEFAULT"),"[]") - "].;"
-$ CATOP  := 's'.demoCA
-$ CAKEY  := ]cakey.pem
-$ CACERT := ]cacert.pem
+$ on error then goto clean_up
+$ on control_y then goto clean_up
+$!
+$ CAKEY  = "CATOP:[private]cakey.pem"
+$ CACERT = "CATOP:[000000]cacert.pem"
 $
 $ __INPUT := SYS$COMMAND
-$ RET = 1
 $!
 $ i = 1
 $opt_loop:
@@ -55,7 +66,7 @@ $
 $ IF (prog_opt .EQS. "?" .OR. prog_opt .EQS. "-h" .OR. prog_opt .EQS. "-help") 
 $ THEN
 $   echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" 
-$   exit
+$   goto clean_up
 $ ENDIF
 $!
 $ IF (prog_opt .EQS. "-input")
@@ -69,7 +80,7 @@ $!
 $ IF (prog_opt .EQS. "-newcert")
 $ THEN
 $   ! Create a certificate.
-$   DEFINE/USER SYS$INPUT '__INPUT'
+$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
 $   REQ -new -x509 -keyout newreq.pem -out newreq.pem 'DAYS'
 $   RET=$STATUS
 $   echo "Certificate (and private key) is in newreq.pem"
@@ -79,7 +90,7 @@ $!
 $ IF (prog_opt .EQS. "-newreq")
 $ THEN
 $   ! Create a certificate request
-$   DEFINE/USER SYS$INPUT '__INPUT'
+$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
 $   REQ -new -keyout newreq.pem -out newreq.pem 'DAYS'
 $   RET=$STATUS
 $   echo "Request (and private key) is in newreq.pem"
@@ -90,41 +101,40 @@ $ IF (prog_opt .EQS. "-newca")
 $ THEN
 $   ! If explicitly asked for or it doesn't exist then setup the directory
 $   ! structure that Eric likes to manage things.
-$   IF F$SEARCH(CATOP+"]serial.") .EQS. ""
+$   IF F$SEARCH( "CATOP:[000000]serial.") .EQS. ""
 $   THEN
-$     CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP']
-$     CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'.certs]
-$     CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'.crl]
-$     CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'.newcerts]
-$     CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'.private]
+$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[000000]
+$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[certs]
+$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[crl]
+$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[newcerts]
+$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[private]
 $
-$     OPEN   /WRITE ser_file 'CATOP']serial. 
+$     OPEN /WRITE ser_file CATOP:[000000]serial. 
 $     WRITE ser_file "01"
 $     CLOSE ser_file
-$     APPEND/NEW NL: 'CATOP']index.txt
+$     APPEND /NEW_VERSION NL: CATOP:[000000]index.txt
 $
 $     ! The following is to make sure access() doesn't get confused.  It
 $     ! really needs one file in the directory to give correct answers...
-$     COPY NLA0: 'CATOP'.certs].;
-$     COPY NLA0: 'CATOP'.crl].;
-$     COPY NLA0: 'CATOP'.newcerts].;
-$     COPY NLA0: 'CATOP'.private].;
+$     COPY NLA0: CATOP:[certs].;
+$     COPY NLA0: CATOP:[crl].;
+$     COPY NLA0: CATOP:[newcerts].;
+$     COPY NLA0: CATOP:[private].;
 $   ENDIF
 $!
-$   IF F$SEARCH(CATOP+".private"+CAKEY) .EQS. ""
+$   IF F$SEARCH( CAKEY) .EQS. ""
 $   THEN
 $     READ '__INPUT' FILE -
-	   /PROMPT="CA certificate filename (or enter to create)"
+       /PROMPT="CA certificate filename (or enter to create): "
 $     IF (FILE .NES. "") .AND. (F$SEARCH(FILE) .NES. "")
 $     THEN
-$       COPY 'FILE' 'CATOP'.private'CAKEY'
-$	RET=$STATUS
+$       COPY 'FILE' 'CAKEY'
+$       RET=$STATUS
 $     ELSE
 $       echo "Making CA certificate ..."
-$       DEFINE/USER SYS$INPUT '__INPUT'
-$       REQ -new -x509 -keyout 'CATOP'.private'CAKEY' -
-		       -out 'CATOP''CACERT' 'DAYS'
-$	RET=$STATUS
+$       DEFINE /USER_MODE SYS$INPUT '__INPUT'
+$       REQ -new -x509 -keyout 'CAKEY' -out 'CACERT' 'DAYS'
+$       RET=$STATUS
 $     ENDIF
 $   ENDIF
 $   GOTO opt_loop_continue
@@ -135,16 +145,16 @@ $ THEN
 $   i = i + 1
 $   cname = P'i'
 $   IF cname .EQS. "" THEN cname = "My certificate"
-$   PKCS12 -in newcert.pem -inkey newreq.pem -certfile 'CATOP''CACERT -
-	   -out newcert.p12 -export -name "''cname'"
+$   PKCS12 -in newcert.pem -inkey newreq.pem -certfile 'CACERT' -
+     -out newcert.p12 -export -name "''cname'"
 $   RET=$STATUS
-$   exit RET
+$   goto clean_up
 $ ENDIF
 $!
 $ IF (prog_opt .EQS. "-xsign")
 $ THEN
 $!
-$   DEFINE/USER SYS$INPUT '__INPUT'
+$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
 $   CA -policy policy_anything -infiles newreq.pem
 $   RET=$STATUS
 $   GOTO opt_loop_continue
@@ -153,7 +163,7 @@ $!
 $ IF ((prog_opt .EQS. "-sign") .OR. (prog_opt .EQS. "-signreq"))
 $ THEN
 $!   
-$   DEFINE/USER SYS$INPUT '__INPUT'
+$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
 $   CA -policy policy_anything -out newcert.pem -infiles newreq.pem
 $   RET=$STATUS
 $   type newcert.pem
@@ -165,9 +175,9 @@ $ IF (prog_opt .EQS. "-signcert")
 $  THEN
 $!   
 $   echo "Cert passphrase will be requested twice - bug?"
-$   DEFINE/USER SYS$INPUT '__INPUT'
+$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
 $   X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
-$   DEFINE/USER SYS$INPUT '__INPUT'
+$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
 $   CA -policy policy_anything -out newcert.pem -infiles tmp.pem
 y
 y
@@ -182,17 +192,17 @@ $!
 $   i = i + 1
 $   IF (p'i' .EQS. "")
 $   THEN
-$     DEFINE/USER SYS$INPUT '__INPUT'
-$     VERIFY "-CAfile" 'CATOP''CACERT' newcert.pem
+$     DEFINE /USER_MODE SYS$INPUT '__INPUT'
+$     VERIFY "-CAfile" 'CACERT' newcert.pem
 $   ELSE
 $     j = i
 $    verify_opt_loop:
 $     IF j .GT. 8 THEN GOTO verify_opt_loop_end
 $     IF p'j' .NES. ""
 $     THEN 
-$       DEFINE/USER SYS$INPUT '__INPUT'
+$       DEFINE /USER_MODE SYS$INPUT '__INPUT'
 $       __tmp = p'j'
-$       VERIFY "-CAfile" 'CATOP''CACERT' '__tmp'
+$       VERIFY "-CAfile" 'CACERT' '__tmp'
 $       tmp=$STATUS
 $       IF tmp .NE. 0 THEN RET=tmp
 $     ENDIF
@@ -208,8 +218,8 @@ $ IF (prog_opt .NES. "")
 $ THEN
 $!   
 $   echo "Unknown argument ''prog_opt'"
-$   
-$   EXIT 3
+$   RET = 3
+$   goto clean_up
 $ ENDIF
 $
 $opt_loop_continue:
@@ -217,4 +227,10 @@ $ i = i + 1
 $ GOTO opt_loop
 $
 $opt_loop_end:
+$!
+$clean_up:
+$!
+$ if f$trnlnm( "CATOP", "LNM$PROCESS") .nes. "" then -
+   deassign /process CATOP
+$!
 $ EXIT 'RET'
diff --git a/src/lib/libssl/src/apps/apps.c b/src/lib/libssl/src/apps/apps.c
index acc50df04e..feb7ed46e6 100644
--- a/src/lib/libssl/src/apps/apps.c
+++ b/src/lib/libssl/src/apps/apps.c
@@ -257,6 +257,8 @@ int args_from_file(char *file, int *argc, char **argv[])
 
 int str2fmt(char *s)
 	{
+	if (s == NULL)
+		return FORMAT_UNDEF;
 	if 	((*s == 'D') || (*s == 'd'))
 		return(FORMAT_ASN1);
 	else if ((*s == 'T') || (*s == 't'))
@@ -377,13 +379,12 @@ void program_name(char *in, char *out, int size)
 
 int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
 	{
-	int num,len,i;
+	int num,i;
 	char *p;
 
 	*argc=0;
 	*argv=NULL;
 
-	len=strlen(buf);
 	i=0;
 	if (arg->count == 0)
 		{
@@ -797,7 +798,9 @@ X509 *load_cert(BIO *err, const char *file, int format,
 	if (file == NULL)
 		{
 #ifdef _IONBF
+# ifndef OPENSSL_NO_SETVBUF_IONBF
 		setvbuf(stdin, NULL, _IONBF, 0);
+# endif /* ndef OPENSSL_NO_SETVBUF_IONBF */
 #endif
 		BIO_set_fp(cert,stdin,BIO_NOCLOSE);
 		}
@@ -898,7 +901,9 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
 	if (file == NULL && maybe_stdin)
 		{
 #ifdef _IONBF
+# ifndef OPENSSL_NO_SETVBUF_IONBF
 		setvbuf(stdin, NULL, _IONBF, 0);
+# endif /* ndef OPENSSL_NO_SETVBUF_IONBF */
 #endif
 		BIO_set_fp(key,stdin,BIO_NOCLOSE);
 		}
@@ -987,7 +992,9 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
 	if (file == NULL && maybe_stdin)
 		{
 #ifdef _IONBF
+# ifndef OPENSSL_NO_SETVBUF_IONBF
 		setvbuf(stdin, NULL, _IONBF, 0);
+# endif /* ndef OPENSSL_NO_SETVBUF_IONBF */
 #endif
 		BIO_set_fp(key,stdin,BIO_NOCLOSE);
 		}
diff --git a/src/lib/libssl/src/apps/asn1pars.c b/src/lib/libssl/src/apps/asn1pars.c
index b5d65e725b..0d6607071f 100644
--- a/src/lib/libssl/src/apps/asn1pars.c
+++ b/src/lib/libssl/src/apps/asn1pars.c
@@ -408,6 +408,7 @@ static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf)
 
 	atyp = ASN1_generate_nconf(genstr, cnf);
 	NCONF_free(cnf);
+	cnf = NULL;
 
 	if (!atyp)
 		return -1;
diff --git a/src/lib/libssl/src/apps/dh.c b/src/lib/libssl/src/apps/dh.c
index e9609d630d..dee9c01fce 100644
--- a/src/lib/libssl/src/apps/dh.c
+++ b/src/lib/libssl/src/apps/dh.c
@@ -88,9 +88,6 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE *e = NULL;
-#endif
 	DH *dh=NULL;
 	int i,badops=0,text=0;
 	BIO *in=NULL,*out=NULL;
@@ -189,7 +186,7 @@ bad:
 	ERR_load_crypto_strings();
 
 #ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
+        setup_engine(bio_err, engine, 0);
 #endif
 
 	in=BIO_new(BIO_s_file());
diff --git a/src/lib/libssl/src/apps/dhparam.c b/src/lib/libssl/src/apps/dhparam.c
index 5fab29eb87..b47097cbb2 100644
--- a/src/lib/libssl/src/apps/dhparam.c
+++ b/src/lib/libssl/src/apps/dhparam.c
@@ -149,9 +149,6 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE *e = NULL;
-#endif
 	DH *dh=NULL;
 	int i,badops=0,text=0;
 #ifndef OPENSSL_NO_DSA
@@ -270,7 +267,7 @@ bad:
 	ERR_load_crypto_strings();
 
 #ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
+        setup_engine(bio_err, engine, 0);
 #endif
 
 	if (g && !num)
diff --git a/src/lib/libssl/src/apps/dsaparam.c b/src/lib/libssl/src/apps/dsaparam.c
index 4305a739b3..fe72c1d3df 100644
--- a/src/lib/libssl/src/apps/dsaparam.c
+++ b/src/lib/libssl/src/apps/dsaparam.c
@@ -111,9 +111,6 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE *e = NULL;
-#endif
 	DSA *dsa=NULL;
 	int i,badops=0,text=0;
 	BIO *in=NULL,*out=NULL;
@@ -278,7 +275,7 @@ bad:
 		}
 
 #ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
+        setup_engine(bio_err, engine, 0);
 #endif
 
 	if (need_rand)
@@ -357,12 +354,10 @@ bad:
 	if (C)
 		{
 		unsigned char *data;
-		int l,len,bits_p,bits_q,bits_g;
+		int l,len,bits_p;
 
 		len=BN_num_bytes(dsa->p);
 		bits_p=BN_num_bits(dsa->p);
-		bits_q=BN_num_bits(dsa->q);
-		bits_g=BN_num_bits(dsa->g);
 		data=(unsigned char *)OPENSSL_malloc(len+20);
 		if (data == NULL)
 			{
diff --git a/src/lib/libssl/src/apps/enc.c b/src/lib/libssl/src/apps/enc.c
index 3c2c91e920..076225c4cb 100644
--- a/src/lib/libssl/src/apps/enc.c
+++ b/src/lib/libssl/src/apps/enc.c
@@ -101,9 +101,6 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE *e = NULL;
-#endif
 	static const char magic[]="Salted__";
 	char mbuf[sizeof magic-1];
 	char *strbuf=NULL;
@@ -328,7 +325,7 @@ bad:
 		}
 
 #ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
+        setup_engine(bio_err, engine, 0);
 #endif
 
 	if (md && (dgst=EVP_get_digestbyname(md)) == NULL)
@@ -396,8 +393,10 @@ bad:
 
 	if (inf == NULL)
 	        {
+#ifndef OPENSSL_NO_SETVBUF_IONBF
 		if (bufsize != NULL)
 			setvbuf(stdin, (char *)NULL, _IONBF, 0);
+#endif /* ndef OPENSSL_NO_SETVBUF_IONBF */
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 	        }
 	else
@@ -450,8 +449,10 @@ bad:
 	if (outf == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+#ifndef OPENSSL_NO_SETVBUF_IONBF
 		if (bufsize != NULL)
 			setvbuf(stdout, (char *)NULL, _IONBF, 0);
+#endif /* ndef OPENSSL_NO_SETVBUF_IONBF */
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
diff --git a/src/lib/libssl/src/apps/gendh.c b/src/lib/libssl/src/apps/gendh.c
index caa7327a10..4ec776ba93 100644
--- a/src/lib/libssl/src/apps/gendh.c
+++ b/src/lib/libssl/src/apps/gendh.c
@@ -89,9 +89,6 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	BN_GENCB cb;
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE *e = NULL;
-#endif
 	DH *dh=NULL;
 	int ret=1,num=DEFBITS;
 	int g=2;
@@ -163,7 +160,7 @@ bad:
 		}
 		
 #ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
+        setup_engine(bio_err, engine, 0);
 #endif
 
 	out=BIO_new(BIO_s_file());
diff --git a/src/lib/libssl/src/apps/gendsa.c b/src/lib/libssl/src/apps/gendsa.c
index 22c39629e5..62ea977905 100644
--- a/src/lib/libssl/src/apps/gendsa.c
+++ b/src/lib/libssl/src/apps/gendsa.c
@@ -78,9 +78,6 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE *e = NULL;
-#endif
 	DSA *dsa=NULL;
 	int ret=1;
 	char *outfile=NULL;
@@ -206,7 +203,7 @@ bad:
 		}
 
 #ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
+        setup_engine(bio_err, engine, 0);
 #endif
 
 	if(!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
diff --git a/src/lib/libssl/src/apps/install-apps.com b/src/lib/libssl/src/apps/install-apps.com
new file mode 100755
index 0000000000..7a553aa12e
--- /dev/null
+++ b/src/lib/libssl/src/apps/install-apps.com
@@ -0,0 +1,107 @@
+$! INSTALL.COM -- Installs the files in a given directory tree
+$!
+$! Author: Richard Levitte <richard@levitte.org>
+$! Time of creation: 22-MAY-1998 10:13
+$!
+$! P1  root of the directory tree
+$! P2  "64" for 64-bit pointers.
+$!
+$!
+$! Announce/identify.
+$!
+$ proc = f$environment( "procedure")
+$ write sys$output "@@@ "+ -
+   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
+$!
+$ on error then goto tidy
+$ on control_c then goto tidy
+$!
+$ if (p1 .eqs. "")
+$ then
+$   write sys$output "First argument missing."
+$   write sys$output -
+     "It should be the directory where you want things installed."
+$   exit
+$ endif
+$!
+$ if (f$getsyi("cpu") .lt. 128)
+$ then
+$   arch = "VAX"
+$ else
+$   arch = f$edit( f$getsyi( "arch_name"), "upcase")
+$   if (arch .eqs. "") then arch = "UNK"
+$ endif
+$!
+$ archd = arch
+$!
+$ if (p2 .nes. "")
+$ then
+$   if (p2 .eqs. "64")
+$   then
+$     archd = arch+ "_64"
+$   else
+$     if (p2 .nes. "32")
+$     then
+$       write sys$output "Second argument invalid."
+$       write sys$output "It should be "32", "64", or nothing."
+$       exit
+$     endif
+$   endif
+$ endif
+$!
+$ root = f$parse( p1, "[]A.;0", , , "syntax_only, no_conceal") - "A.;0"
+$ root_dev = f$parse(root,,,"device","syntax_only")
+$ root_dir = f$parse(root,,,"directory","syntax_only") - -
+   "[000000." - "][" - "[" - "]"
+$ root = root_dev + "[" + root_dir
+$!
+$ define /nolog wrk_sslroot 'root'.] /trans=conc
+$ define /nolog wrk_sslxexe wrk_sslroot:['archd'_exe]
+$!
+$ if f$parse("wrk_sslroot:[000000]") .eqs. "" then -
+   create /directory /log wrk_sslroot:[000000]
+$ if f$parse("wrk_sslxexe:") .eqs. "" then -
+   create /directory /log wrk_sslxexe:
+$!
+$ exe := openssl
+$!
+$ exe_dir := [-.'archd'.exe.apps]
+$!
+$! Executables.
+$!
+$ i = 0
+$ loop_exe:
+$   e = f$edit(f$element( i, ",", exe), "trim")
+$   i = i + 1
+$   if e .eqs. "," then goto loop_exe_end
+$   set noon
+$   file = exe_dir+ e+ ".exe"
+$   if f$search( file) .nes. ""
+$   then
+$     copy /protection = w:re 'file' wrk_sslxexe: /log
+$   endif
+$   set on
+$ goto loop_exe
+$ loop_exe_end:
+$!
+$! Miscellaneous.
+$!
+$ set noon
+$ copy /protection = w:re ca.com wrk_sslxexe:ca.com /log
+$ copy /protection = w:re openssl-vms.cnf wrk_sslroot:[000000]openssl.cnf /log
+$ set on
+$!
+$ tidy:
+$!
+$ call deass wrk_sslroot
+$ call deass wrk_sslxexe
+$!
+$ exit
+$!
+$ deass: subroutine
+$ if (f$trnlnm( p1, "LNM$PROCESS") .nes. "")
+$ then
+$   deassign /process 'p1'
+$ endif
+$ endsubroutine
+$!
diff --git a/src/lib/libssl/src/apps/makeapps.com b/src/lib/libssl/src/apps/makeapps.com
index 58f2865623..71417a86b0 100644
--- a/src/lib/libssl/src/apps/makeapps.com
+++ b/src/lib/libssl/src/apps/makeapps.com
@@ -39,11 +39,35 @@ $!  P4, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
 $!
 $!  P5, if defined, sets a choice of programs to compile.
 $!
+$!  P6, if defined, specifies the C pointer size.  Ignored on VAX.
+$!      ("64=ARGV" gives more efficient code with HP C V7.3 or newer.)
+$!      Supported values are:
+$!
+$!      ""       Compile with default (/NOPOINTER_SIZE)
+$!      32       Compile with /POINTER_SIZE=32 (SHORT)
+$!      64       Compile with /POINTER_SIZE=64[=ARGV] (LONG[=ARGV])
+$!               (Automatically select ARGV if compiler supports it.)
+$!      64=      Compile with /POINTER_SIZE=64 (LONG).
+$!      64=ARGV  Compile with /POINTER_SIZE=64=ARGV (LONG=ARGV).
+$!
+$!  P7, if defined, specifies a directory where ZLIB files (zlib.h,
+$!  libz.olb) may be found.  Optionally, a non-default object library
+$!  name may be included ("dev:[dir]libz_64.olb", for example).
+$!
+$!
+$! Announce/identify.
+$!
+$ proc = f$environment( "procedure")
+$ write sys$output "@@@ "+ -
+   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
+$!
+$ on control_c then goto exit
 $!
 $! Define A TCP/IP Library That We Will Need To Link To.
 $! (That Is, If We Need To Link To One.)
 $!
 $ TCPIP_LIB = ""
+$ ZLIB_LIB = ""
 $!
 $! Check What Architecture We Are Using.
 $!
@@ -67,29 +91,45 @@ $! End The Architecture Check.
 $!
 $ ENDIF
 $!
+$ ARCHD = ARCH
+$ LIB32 = "32"
+$ OPT_FILE = ""
+$ POINTER_SIZE = ""
+$!
 $! Define what programs should be compiled
 $!
 $ PROGRAMS := OPENSSL
 $!
+$! Check To Make Sure We Have Valid Command Line Parameters.
+$!
+$ GOSUB CHECK_OPTIONS
+$!
 $! Define The CRYPTO Library.
 $!
-$ CRYPTO_LIB := SYS$DISK:[-.'ARCH'.EXE.CRYPTO]LIBCRYPTO.OLB
+$ CRYPTO_LIB := SYS$DISK:[-.'ARCHD'.EXE.CRYPTO]SSL_LIBCRYPTO'LIB32'.OLB
 $!
 $! Define The SSL Library.
 $!
-$ SSL_LIB := SYS$DISK:[-.'ARCH'.EXE.SSL]LIBSSL.OLB
+$ SSL_LIB := SYS$DISK:[-.'ARCHD'.EXE.SSL]SSL_LIBSSL'LIB32'.OLB
 $!
-$! Define The OBJ Directory.
+$! Define The OBJ and EXE Directories.
 $!
-$ OBJ_DIR := SYS$DISK:[-.'ARCH'.OBJ.APPS]
+$ OBJ_DIR := SYS$DISK:[-.'ARCHD'.OBJ.APPS]
+$ EXE_DIR := SYS$DISK:[-.'ARCHD'.EXE.APPS]
 $!
-$! Define The EXE Directory.
+$! Specify the destination directory in any /MAP option.
 $!
-$ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.APPS]
+$ if (LINKMAP .eqs. "MAP")
+$ then
+$   LINKMAP = LINKMAP+ "=''EXE_DIR'"
+$ endif
 $!
-$! Check To Make Sure We Have Valid Command Line Parameters.
+$! Add the location prefix to the linker options file name.
 $!
-$ GOSUB CHECK_OPTIONS
+$ if (OPT_FILE .nes. "")
+$ then
+$   OPT_FILE = EXE_DIR+ OPT_FILE
+$ endif
 $!
 $! Initialise logical names and such
 $!
@@ -97,7 +137,7 @@ $ GOSUB INITIALISE
 $!
 $! Tell The User What Kind of Machine We Run On.
 $!
-$ WRITE SYS$OUTPUT "Compiling On A ",ARCH," Machine."
+$ WRITE SYS$OUTPUT "Host system architecture: ''ARCHD'"
 $!
 $! Check To See If The OBJ Directory Exists.
 $!
@@ -145,6 +185,9 @@ $ LIB_OPENSSL = "VERIFY,ASN1PARS,REQ,DGST,DH,DHPARAM,ENC,PASSWD,GENDH,ERRSTR,"+-
 	      	"S_TIME,APPS,S_CB,S_SOCKET,APP_RAND,VERSION,SESS_ID,"+-
 	      	"CIPHERS,NSEQ,PKCS12,PKCS8,PKEY,PKEYPARAM,PKEYUTL,"+ -
 	      	"SPKAC,SMIME,CMS,RAND,ENGINE,OCSP,PRIME,TS"
+$!
+$ LIB_OPENSSL = LIB_OPENSSL+ ",VMS_DECC_INIT"
+$!
 $ TCPIP_PROGRAMS = ",,"
 $ IF COMPILER .EQS. "VAXC" THEN -
      TCPIP_PROGRAMS = ",OPENSSL,"
@@ -202,7 +245,7 @@ $   LIB_COUNTER = -1
 $!
 $!  Create a .OPT file for the object files
 $!
-$   OPEN/WRITE OBJECTS 'EXE_DIR''CURRENT_APP'.OPT
+$   OPEN /WRITE OBJECTS 'EXE_DIR''CURRENT_APP'.OPT
 $!
 $!  Top Of The File Loop.
 $!
@@ -289,34 +332,18 @@ $   GOTO NEXT_APP
 $ ENDIF
 $!
 $! Link The Program.
-$! Check To See If We Are To Link With A Specific TCP/IP Library.
 $!
 $ ON WARNING THEN GOTO NEXT_APP
 $!
-$ IF (TCPIP_LIB.NES."")
-$ THEN
-$!
 $! Don't Link With The RSAREF Routines And TCP/IP Library.
 $!
-$   LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
-	'EXE_DIR''CURRENT_APP'.OPT/OPTION, -
-        'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
-        'TCPIP_LIB','OPT_FILE'/OPTION
-$!
-$! Else...
-$!
-$ ELSE
-$!
-$! Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
-$!
-$   LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
-	'EXE_DIR''CURRENT_APP'.OPT/OPTION, -
-        'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
-        'OPT_FILE'/OPTION
-$!
-$! End The TCP/IP Library Check.
-$!
-$ ENDIF
+$ LINK /'DEBUGGER' /'LINKMAP' /'TRACEBACK' /EXE='EXE_FILE' -
+  'EXE_DIR''CURRENT_APP'.OPT /OPTIONS, -
+  'SSL_LIB' /LIBRARY, -
+  'CRYPTO_LIB' /LIBRARY -
+  'TCPIP_LIB' -
+  'ZLIB_LIB' -
+  ,'OPT_FILE' /OPTIONS
 $!
 $! Go Back And Do It Again.
 $!
@@ -351,7 +378,7 @@ $!
 $     CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File To Link Agianst 
+! Default System Options File To Link Against 
 ! The Sharable VAX C Runtime Library.
 !
 SYS$SHARE:VAXCRTL.EXE/SHARE
@@ -380,7 +407,7 @@ $!
 $     CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File To Link Agianst 
+! Default System Options File To Link Against 
 ! The Sharable C Runtime Library.
 !
 GNU_CC:[000000]GCCLIB/LIBRARY
@@ -415,7 +442,7 @@ $!
 $       CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File To Link Agianst 
+! Default System Options File To Link Against 
 ! The Sharable DEC C Runtime Library.
 !
 SYS$SHARE:DECC$SHR.EXE/SHARE
@@ -430,7 +457,7 @@ $!
 $       CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File For non-VAX To Link Agianst 
+! Default System Options File For non-VAX To Link Against 
 ! The Sharable C Runtime Library.
 !
 SYS$SHARE:CMA$OPEN_LIB_SHR/SHARE
@@ -514,14 +541,15 @@ $!
 $ IF (P1.EQS."NODEBUG")
 $ THEN
 $!
-$!   P1 Is NODEBUG, So Compile Without Debugger Information.
+$!  P1 Is NODEBUG, So Compile Without Debugger Information.
 $!
-$    DEBUGGER  = "NODEBUG"
-$    TRACEBACK = "NOTRACEBACK" 
-$    GCC_OPTIMIZE = "OPTIMIZE"
-$    CC_OPTIMIZE = "OPTIMIZE"
-$    WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile."
-$    WRITE SYS$OUTPUT "Compiling With Compiler Optimization."
+$   DEBUGGER  = "NODEBUG"
+$   LINKMAP = "NOMAP"
+$   TRACEBACK = "NOTRACEBACK" 
+$   GCC_OPTIMIZE = "OPTIMIZE"
+$   CC_OPTIMIZE = "OPTIMIZE"
+$   WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile."
+$   WRITE SYS$OUTPUT "Compiling With Compiler Optimization."
 $!
 $! Else...
 $!
@@ -535,6 +563,7 @@ $!
 $!    Compile With Debugger Information.
 $!
 $     DEBUGGER  = "DEBUG"
+$     LINKMAP = "MAP"
 $     TRACEBACK = "TRACEBACK"
 $     GCC_OPTIMIZE = "NOOPTIMIZE"
 $     CC_OPTIMIZE = "NOOPTIMIZE"
@@ -542,7 +571,7 @@ $     WRITE SYS$OUTPUT "Debugger Information Will Be Produced During Compile."
 $     WRITE SYS$OUTPUT "Compiling Without Compiler Optimization."
 $   ELSE
 $!
-$!    Tell The User Entered An Invalid Option..
+$!    Tell The User Entered An Invalid Option.
 $!
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
@@ -563,6 +592,87 @@ $! End The P1 Check.
 $!
 $ ENDIF
 $!
+$! Check P6 (POINTER_SIZE).
+$!
+$ IF (P6 .NES. "") .AND. (ARCH .NES. "VAX")
+$ THEN
+$!
+$   IF (P6 .EQS. "32")
+$   THEN
+$     POINTER_SIZE = " /POINTER_SIZE=32"
+$   ELSE
+$     POINTER_SIZE = F$EDIT( P6, "COLLAPSE, UPCASE")
+$     IF ((POINTER_SIZE .EQS. "64") .OR. -
+       (POINTER_SIZE .EQS. "64=") .OR. -
+       (POINTER_SIZE .EQS. "64=ARGV"))
+$     THEN
+$       ARCHD = ARCH+ "_64"
+$       LIB32 = ""
+$       IF (F$EXTRACT( 2, 1, POINTER_SIZE) .EQS. "=")
+$       THEN
+$!        Explicit user choice: "64" or "64=ARGV".
+$         IF (POINTER_SIZE .EQS. "64=") THEN POINTER_SIZE = "64"
+$       ELSE
+$         SET NOON
+$         DEFINE /USER_MODE SYS$OUTPUT NL:
+$         DEFINE /USER_MODE SYS$ERROR NL:
+$         CC /NOLIST /NOOBJECT /POINTER_SIZE=64=ARGV NL:
+$         IF ($STATUS .AND. %X0FFF0000) .EQ. %X00030000
+$         THEN
+$           ! If we got here, it means DCL complained like this:
+$           ! %DCL-W-NOVALU, value not allowed - remove value specification
+$           !  \64=\
+$           !
+$           ! If the compiler was run, logicals defined in /USER would
+$           ! have been deassigned automatically.  However, when DCL
+$           ! complains, they aren't, so we do it here (it might be
+$           ! unnecessary, but just in case there will be another error
+$           ! message further on that we don't want to miss)
+$           DEASSIGN /USER_MODE SYS$ERROR
+$           DEASSIGN /USER_MODE SYS$OUTPUT
+$         ELSE
+$           POINTER_SIZE = POINTER_SIZE + "=ARGV"
+$         ENDIF
+$         SET ON
+$       ENDIF
+$       POINTER_SIZE = " /POINTER_SIZE=''POINTER_SIZE'"
+$!
+$     ELSE
+$!
+$!      Tell The User Entered An Invalid Option.
+$!
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "The Option ", P6, -
+         " Is Invalid.  The Valid Options Are:"
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT -
+         "    """"  :  Compile with default (short) pointers."
+$       WRITE SYS$OUTPUT -
+         "    32  :  Compile with 32-bit (short) pointers."
+$       WRITE SYS$OUTPUT -
+         "    64       :  Compile with 64-bit (long) pointers (auto ARGV)."
+$       WRITE SYS$OUTPUT -
+         "    64=      :  Compile with 64-bit (long) pointers (no ARGV)."
+$       WRITE SYS$OUTPUT -
+         "    64=ARGV  :  Compile with 64-bit (long) pointers (ARGV)."
+$       WRITE SYS$OUTPUT ""
+$! 
+$!      Time To EXIT.
+$!
+$       EXIT
+$!
+$     ENDIF
+$!
+$   ENDIF
+$!
+$! End The P6 (POINTER_SIZE) Check.
+$!
+$ ENDIF
+$!
+$! Set basic C compiler /INCLUDE directories.
+$!
+$ CC_INCLUDES = "SYS$DISK:[-],SYS$DISK:[-.CRYPTO]"
+$!
 $! Check To See If P2 Is Blank.
 $!
 $ IF (P2.EQS."")
@@ -663,11 +773,64 @@ $ CCDEFS = "MONOLITH"
 $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
-$ CCDISABLEWARNINGS = "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
+$ CCDISABLEWARNINGS = "" !!! "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
 $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
 	CCDISABLEWARNINGS = CCDISABLEWARNINGS + "," + USER_CCDISABLEWARNINGS
 $!
-$!  Check To See If The User Entered A Valid Paramter.
+$! Check To See If We Have A ZLIB Option.
+$!
+$ ZLIB = P7
+$ IF (ZLIB .NES. "")
+$ THEN
+$!
+$!  Check for expected ZLIB files.
+$!
+$   err = 0
+$   file1 = f$parse( "zlib.h", ZLIB, , , "SYNTAX_ONLY")
+$   if (f$search( file1) .eqs. "")
+$   then
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ", ZLIB, " Is Invalid."
+$     WRITE SYS$OUTPUT "    Can't find header: ''file1'"
+$     err = 1
+$   endif
+$   file1 = f$parse( "A.;", ZLIB)- "A.;"
+$!
+$   file2 = f$parse( ZLIB, "libz.olb", , , "SYNTAX_ONLY")
+$   if (f$search( file2) .eqs. "")
+$   then
+$     if (err .eq. 0)
+$     then
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "The Option ", ZLIB, " Is Invalid."
+$     endif
+$     WRITE SYS$OUTPUT "    Can't find library: ''file2'"
+$     WRITE SYS$OUTPUT ""
+$     err = err+ 2
+$   endif
+$   if (err .eq. 1)
+$   then
+$     WRITE SYS$OUTPUT ""
+$   endif
+$!
+$   if (err .ne. 0)
+$   then
+$     EXIT
+$   endif
+$!
+$   CCDEFS = """ZLIB=1"", "+ CCDEFS
+$   CC_INCLUDES = CC_INCLUDES+ ", "+ file1
+$   ZLIB_LIB = ", ''file2' /library"
+$!
+$!  Print info
+$!
+$   WRITE SYS$OUTPUT "ZLIB library spec: ", file2
+$!
+$! End The ZLIB Check.
+$!
+$ ENDIF
+$!
+$!  Check To See If The User Entered A Valid Parameter.
 $!
 $ IF (P2.EQS."VAXC").OR.(P2.EQS."DECC").OR.(P2.EQS."GNUC")
 $ THEN
@@ -690,13 +853,13 @@ $!
 $     CC = "CC"
 $     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
 	 THEN CC = "CC/DECC"
-$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
-           "/NOLIST/PREFIX=ALL" + -
-	   "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
+$     CC = CC + " /''CC_OPTIMIZE' /''DEBUGGER' /STANDARD=RELAXED"+ -
+       "''POINTER_SIZE' /NOLIST /PREFIX=ALL" + -
+       " /INCLUDE=(''CC_INCLUDES') " + CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
-$     OPT_FILE = "''EXE_DIR'VAX_DECC_OPTIONS.OPT"
+$     OPT_FILE = "VAX_DECC_OPTIONS.OPT"
 $!
 $!  End DECC Check.
 $!
@@ -724,7 +887,7 @@ $	EXIT
 $     ENDIF
 $     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-	   "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
+	   "/INCLUDE=(''CC_INCLUDES')" + CCEXTRAFLAGS
 $     CCDEFS = CCDEFS + ",""VAXC"""
 $!
 $!    Define <sys> As SYS$COMMON:[SYSLIB]
@@ -733,7 +896,7 @@ $     DEFINE/NOLOG SYS SYS$COMMON:[SYSLIB]
 $!
 $!    Define The Linker Options File Name.
 $!
-$     OPT_FILE = "''EXE_DIR'VAX_VAXC_OPTIONS.OPT"
+$     OPT_FILE = "VAX_VAXC_OPTIONS.OPT"
 $!
 $!  End VAXC Check
 $!
@@ -756,11 +919,11 @@ $!    Use GNU C...
 $!
 $     IF F$TYPE(GCC) .EQS. "" THEN GCC := GCC
 $     CC = GCC+"/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-	   "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
+	   "/INCLUDE=(''CC_INCLUDES')" + CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
-$     OPT_FILE = "''EXE_DIR'VAX_GNUC_OPTIONS.OPT"
+$     OPT_FILE = "VAX_GNUC_OPTIONS.OPT"
 $!
 $!  End The GNU C Check.
 $!
@@ -802,7 +965,7 @@ $   THEN
 $!
 $!    Set the library to use SOCKETSHR
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT/OPT"
+$     TCPIP_LIB = ",SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT /OPTIONS"
 $!
 $!    Done with SOCKETSHR
 $!
@@ -828,13 +991,13 @@ $   THEN
 $!
 $!    Set the library to use UCX.
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT/OPT"
+$     TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT /OPTIONS"
 $     IF F$TRNLNM("UCX$IPC_SHR") .NES. ""
 $     THEN
-$       TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
+$       TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT /OPTIONS"
 $     ELSE
 $       IF COMPILER .NES. "DECC" .AND. ARCH .EQS. "VAX" THEN -
-	  TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT/OPT"
+	  TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT /OPTIONS"
 $     ENDIF
 $!
 $!    Done with UCX
@@ -848,7 +1011,7 @@ $   THEN
 $!
 $!    Set the library to use TCPIP.
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT/OPT"
+$     TCPIP_LIB = ",SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT /OPTIONS"
 $!
 $!    Done with TCPIP
 $!
@@ -873,7 +1036,7 @@ $   CCDEFS = CCDEFS + ",TCPIP_TYPE_''P3'"
 $!
 $!  Print info
 $!
-$   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB
+$   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB- ","
 $!
 $!  Else The User Entered An Invalid Argument.
 $!
@@ -903,13 +1066,13 @@ $ IF COMPILER .EQS. "DECC"
 $ THEN
 $   IF CCDISABLEWARNINGS .NES. ""
 $   THEN
-$     CCDISABLEWARNINGS = "/WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
+$     CCDISABLEWARNINGS = " /WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
 $   ENDIF
 $ ELSE
 $   CCDISABLEWARNINGS = ""
 $ ENDIF
-$ CC2 = CC + "/DEFINE=(" + CCDEFS + ",_POSIX_C_SOURCE)" + CCDISABLEWARNINGS
-$ CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
+$ CC2 = CC + " /DEFINE=(" + CCDEFS + ",_POSIX_C_SOURCE)" + CCDISABLEWARNINGS
+$ CC = CC + " /DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
 $!
 $! Show user the result
 $!
@@ -975,7 +1138,7 @@ $ __INCLUDE = __TOP + "INCLUDE.OPENSSL]"
 $!
 $! Set up the logical name OPENSSL to point at the include directory
 $!
-$ DEFINE OPENSSL/NOLOG '__INCLUDE'
+$ DEFINE OPENSSL /NOLOG '__INCLUDE'
 $!
 $! Done
 $!
@@ -983,15 +1146,24 @@ $ RETURN
 $!
 $ CLEANUP:
 $!
-$! Restore the logical name OPENSSL if it had a value
+$! Restore the saved logical name OPENSSL, if it had a value.
 $!
-$ IF __SAVE_OPENSSL .EQS. ""
-$ THEN
-$   DEASSIGN OPENSSL
-$ ELSE
-$   DEFINE/NOLOG OPENSSL '__SAVE_OPENSSL'
-$ ENDIF
+$ if (f$type( __SAVE_OPENSSL) .nes. "")
+$ then
+$   IF __SAVE_OPENSSL .EQS. ""
+$   THEN
+$     DEASSIGN OPENSSL
+$   ELSE
+$     DEFINE /NOLOG OPENSSL '__SAVE_OPENSSL'
+$   ENDIF
+$ endif
+$!
+$! Close any open files.
+$!
+$ if (f$trnlnm( "objects", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
+   close objects
 $!
 $! Done
 $!
 $ RETURN
+$!
diff --git a/src/lib/libssl/src/apps/openssl.c b/src/lib/libssl/src/apps/openssl.c
index 851e639735..dab057bbff 100644
--- a/src/lib/libssl/src/apps/openssl.c
+++ b/src/lib/libssl/src/apps/openssl.c
@@ -212,8 +212,13 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line)
 		}
 	}
 
+#if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64)
+# define ARGV _Argv
+#else
+# define ARGV Argv
+#endif
 
-int main(int Argc, char *Argv[])
+int main(int Argc, char *ARGV[])
 	{
 	ARGS arg;
 #define PROG_NAME_SIZE	39
@@ -227,7 +232,55 @@ int main(int Argc, char *Argv[])
 	char **argv,*p;
 	LHASH_OF(FUNCTION) *prog=NULL;
 	long errline;
- 
+
+#if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64)
+	/* 2011-03-22 SMS.
+	 * If we have 32-bit pointers everywhere, then we're safe, and
+	 * we bypass this mess, as on non-VMS systems.  (See ARGV,
+	 * above.)
+	 * Problem 1: Compaq/HP C before V7.3 always used 32-bit
+	 * pointers for argv[].
+	 * Fix 1: For a 32-bit argv[], when we're using 64-bit pointers
+	 * everywhere else, we always allocate and use a 64-bit
+	 * duplicate of argv[].
+	 * Problem 2: Compaq/HP C V7.3 (Alpha, IA64) before ECO1 failed
+	 * to NULL-terminate a 64-bit argv[].  (As this was written, the
+	 * compiler ECO was available only on IA64.)
+	 * Fix 2: Unless advised not to (VMS_TRUST_ARGV), we test a
+	 * 64-bit argv[argc] for NULL, and, if necessary, use a
+	 * (properly) NULL-terminated (64-bit) duplicate of argv[].
+	 * The same code is used in either case to duplicate argv[].
+	 * Some of these decisions could be handled in preprocessing,
+	 * but the code tends to get even uglier, and the penalty for
+	 * deciding at compile- or run-time is tiny.
+	 */
+	char **Argv = NULL;
+	int free_Argv = 0;
+
+	if ((sizeof( _Argv) < 8)        /* 32-bit argv[]. */
+# if !defined( VMS_TRUST_ARGV)
+	 || (_Argv[ Argc] != NULL)      /* Untrusted argv[argc] not NULL. */
+# endif
+		)
+		{
+		int i;
+		Argv = OPENSSL_malloc( (Argc+ 1)* sizeof( char *));
+		if (Argv == NULL)
+			{ ret = -1; goto end; }
+		for(i = 0; i < Argc; i++)
+			Argv[i] = _Argv[i];
+		Argv[ Argc] = NULL;     /* Certain NULL termination. */
+		free_Argv = 1;
+		}
+	else
+		{
+		/* Use the known-good 32-bit argv[] (which needs the
+		 * type cast to satisfy the compiler), or the trusted or
+		 * tested-good 64-bit argv[] as-is. */
+		Argv = (char **)_Argv;
+		}
+#endif /* defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64) */
+
 	arg.data=NULL;
 	arg.count=0;
 
@@ -373,6 +426,13 @@ end:
 		BIO_free(bio_err);
 		bio_err=NULL;
 		}
+#if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64)
+	/* Free any duplicate Argv[] storage. */
+	if (free_Argv)
+		{
+		OPENSSL_free(Argv);
+		}
+#endif
 	OPENSSL_EXIT(ret);
 	}
 
diff --git a/src/lib/libssl/src/apps/pkcs12.c b/src/lib/libssl/src/apps/pkcs12.c
index 514a02e0f1..b54c6f84a4 100644
--- a/src/lib/libssl/src/apps/pkcs12.c
+++ b/src/lib/libssl/src/apps/pkcs12.c
@@ -647,7 +647,7 @@ int MAIN(int argc, char **argv)
 
     if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass);
 
-    if (options & INFO) BIO_printf (bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get (p12->mac->iter) : 1);
+    if ((options & INFO) && p12->mac) BIO_printf (bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get (p12->mac->iter) : 1);
     if(macver) {
 #ifdef CRYPTO_MDEBUG
     CRYPTO_push_info("verify MAC");
diff --git a/src/lib/libssl/src/apps/pkcs7.c b/src/lib/libssl/src/apps/pkcs7.c
index 86d31b99a7..ae6cd33f73 100644
--- a/src/lib/libssl/src/apps/pkcs7.c
+++ b/src/lib/libssl/src/apps/pkcs7.c
@@ -82,9 +82,6 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE *e = NULL;
-#endif
 	PKCS7 *p7=NULL;
 	int i,badops=0;
 	BIO *in=NULL,*out=NULL;
@@ -182,7 +179,7 @@ bad:
 	ERR_load_crypto_strings();
 
 #ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
+        setup_engine(bio_err, engine, 0);
 #endif
 
 	in=BIO_new(BIO_s_file());
diff --git a/src/lib/libssl/src/apps/rand.c b/src/lib/libssl/src/apps/rand.c
index 44a1d46a03..790e79592c 100644
--- a/src/lib/libssl/src/apps/rand.c
+++ b/src/lib/libssl/src/apps/rand.c
@@ -77,9 +77,6 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE *e = NULL;
-#endif
 	int i, r, ret = 1;
 	int badopt;
 	char *outfile = NULL;
@@ -178,7 +175,7 @@ int MAIN(int argc, char **argv)
 		}
 
 #ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
+        setup_engine(bio_err, engine, 0);
 #endif
 
 	app_RAND_load_file(NULL, bio_err, (inrand != NULL));
diff --git a/src/lib/libssl/src/apps/s_server.c b/src/lib/libssl/src/apps/s_server.c
index 1a06d19bb1..8a0c34cf0f 100644
--- a/src/lib/libssl/src/apps/s_server.c
+++ b/src/lib/libssl/src/apps/s_server.c
@@ -2254,11 +2254,10 @@ static int www_body(char *hostname, int s, unsigned char *context)
 	{
 	char *buf=NULL;
 	int ret=1;
-	int i,j,k,blank,dot;
+	int i,j,k,dot;
 	SSL *con;
 	const SSL_CIPHER *c;
 	BIO *io,*ssl_bio,*sbio;
-	long total_bytes;
 
 	buf=OPENSSL_malloc(bufsize);
 	if (buf == NULL) return(0);
@@ -2329,7 +2328,6 @@ static int www_body(char *hostname, int s, unsigned char *context)
 		SSL_set_msg_callback_arg(con, bio_s_out);
 		}
 
-	blank=0;
 	for (;;)
 		{
 		if (hack)
@@ -2559,7 +2557,6 @@ static int www_body(char *hostname, int s, unsigned char *context)
                                         BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
                                 }
 			/* send the file */
-			total_bytes=0;
 			for (;;)
 				{
 				i=BIO_read(file,buf,bufsize);
diff --git a/src/lib/libssl/src/apps/s_socket.c b/src/lib/libssl/src/apps/s_socket.c
index 6b8713de60..c08544a13c 100644
--- a/src/lib/libssl/src/apps/s_socket.c
+++ b/src/lib/libssl/src/apps/s_socket.c
@@ -327,7 +327,7 @@ static int init_server_long(int *sock, int port, char *ip, int type)
 	{
 	int ret=0;
 	struct sockaddr_in server;
-	int s= -1,i;
+	int s= -1;
 
 	if (!ssl_sock_init()) return(0);
 
@@ -366,7 +366,6 @@ static int init_server_long(int *sock, int port, char *ip, int type)
 		}
 	/* Make it 128 for linux */
 	if (type==SOCK_STREAM && listen(s,128) == -1) goto err;
-	i=0;
 	*sock=s;
 	ret=1;
 err:
@@ -384,7 +383,7 @@ static int init_server(int *sock, int port, int type)
 
 static int do_accept(int acc_sock, int *sock, char **host)
 	{
-	int ret,i;
+	int ret;
 	struct hostent *h1,*h2;
 	static struct sockaddr_in from;
 	int len;
@@ -407,6 +406,7 @@ redoit:
 	if (ret == INVALID_SOCKET)
 		{
 #if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
+		int i;
 		i=WSAGetLastError();
 		BIO_printf(bio_err,"accept error %d\n",i);
 #else
@@ -461,7 +461,6 @@ redoit:
 			BIO_printf(bio_err,"gethostbyname failure\n");
 			return(0);
 			}
-		i=0;
 		if (h2->h_addrtype != AF_INET)
 			{
 			BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
diff --git a/src/lib/libssl/src/apps/speed.c b/src/lib/libssl/src/apps/speed.c
index 539bfff220..65f85fecf7 100644
--- a/src/lib/libssl/src/apps/speed.c
+++ b/src/lib/libssl/src/apps/speed.c
@@ -334,9 +334,6 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE *e = NULL;
-#endif
 	unsigned char *buf=NULL,*buf2=NULL;
 	int mret=1;
 	long count=0,save_count=0;
@@ -430,7 +427,6 @@ int MAIN(int argc, char **argv)
 	unsigned char DES_iv[8];
 	unsigned char iv[2*MAX_BLOCK_SIZE/8];
 #ifndef OPENSSL_NO_DES
-	DES_cblock *buf_as_des_cblock = NULL;
 	static DES_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0};
 	static DES_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12};
 	static DES_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34};
@@ -644,9 +640,6 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err,"out of memory\n");
 		goto end;
 		}
-#ifndef OPENSSL_NO_DES
-	buf_as_des_cblock = (DES_cblock *)buf;
-#endif
 	if ((buf2=(unsigned char *)OPENSSL_malloc((int)BUFSIZE)) == NULL)
 		{
 		BIO_printf(bio_err,"out of memory\n");
@@ -721,7 +714,7 @@ int MAIN(int argc, char **argv)
 				BIO_printf(bio_err,"no engine given\n");
 				goto end;
 				}
-                        e = setup_engine(bio_err, *argv, 0);
+                        setup_engine(bio_err, *argv, 0);
 			/* j will be increased again further down.  We just
 			   don't want speed to confuse an engine with an
 			   algorithm, especially when none is given (which
@@ -1237,7 +1230,8 @@ int MAIN(int argc, char **argv)
 		count*=2;
 		Time_F(START);
 		for (it=count; it; it--)
-			DES_ecb_encrypt(buf_as_des_cblock,buf_as_des_cblock,
+			DES_ecb_encrypt((DES_cblock *)buf,
+				(DES_cblock *)buf,
 				&sch,DES_ENCRYPT);
 		d=Time_F(STOP);
 		} while (d <3);
@@ -2709,6 +2703,7 @@ static int do_multi(int multi)
 				else
 					rsa_results[k][1]=d;
 				}
+#ifndef OPENSSL_NO_DSA
 			else if(!strncmp(buf,"+F3:",4))
 				{
 				int k;
@@ -2730,6 +2725,7 @@ static int do_multi(int multi)
 				else
 					dsa_results[k][1]=d;
 				}
+#endif
 #ifndef OPENSSL_NO_ECDSA
 			else if(!strncmp(buf,"+F4:",4))
 				{
diff --git a/src/lib/libssl/src/apps/x509.c b/src/lib/libssl/src/apps/x509.c
index e7e46d7b63..ed1e8c69ad 100644
--- a/src/lib/libssl/src/apps/x509.c
+++ b/src/lib/libssl/src/apps/x509.c
@@ -556,7 +556,6 @@ bad:
 	if (reqfile)
 		{
 		EVP_PKEY *pkey;
-		X509_CINF *ci;
 		BIO *in;
 
 		if (!sign_flag && !CA_flag)
@@ -624,7 +623,6 @@ bad:
 		print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag);
 
 		if ((x=X509_new()) == NULL) goto end;
-		ci=x->cert_info;
 
 		if (sno == NULL)
 			{
diff --git a/src/lib/libssl/src/config b/src/lib/libssl/src/config
index 965884a627..cf64ec563e 100644
--- a/src/lib/libssl/src/config
+++ b/src/lib/libssl/src/config
@@ -825,6 +825,10 @@ esac
 #  options="$options -DATALLA"
 #fi
 
+($CC -Wa,--help -c -o /dev/null -x assembler /dev/null 2>&1 | \
+ grep \\--noexecstack) 2>&1 > /dev/null && \
+  options="$options -Wa,--noexecstack"
+
 # gcc < 2.8 does not support -march=ultrasparc
 if [ "$OUT" = solaris-sparcv9-gcc -a $GCCVER -lt 28 ]
 then
diff --git a/src/lib/libssl/src/crypto/Makefile b/src/lib/libssl/src/crypto/Makefile
index c1033f6d77..85d9f249c5 100644
--- a/src/lib/libssl/src/crypto/Makefile
+++ b/src/lib/libssl/src/crypto/Makefile
@@ -74,7 +74,9 @@ x86_64cpuid.s: x86_64cpuid.pl
 	$(PERL) x86_64cpuid.pl $(PERLASM_SCHEME) > $@
 ia64cpuid.s: ia64cpuid.S
 	$(CC) $(CFLAGS) -E ia64cpuid.S > $@
-ppccpuid.s:		ppccpuid.pl;	$(PERL) ppccpuid.pl $(PERLASM_SCHEME) $@
+ppccpuid.s:	ppccpuid.pl;	$(PERL) ppccpuid.pl $(PERLASM_SCHEME) $@
+alphacpuid.s:	alphacpuid.pl
+	$(PERL) $< | $(CC) -E - | tee $@ > /dev/null
 
 testapps:
 	[ -z "$(THIS)" ] || (	if echo $(SDIRS) | fgrep ' des '; \
diff --git a/src/lib/libssl/src/crypto/asn1/a_int.c b/src/lib/libssl/src/crypto/asn1/a_int.c
index c6fd204ae3..3348b8762c 100644
--- a/src/lib/libssl/src/crypto/asn1/a_int.c
+++ b/src/lib/libssl/src/crypto/asn1/a_int.c
@@ -273,7 +273,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
 	{
 	ASN1_INTEGER *ret=NULL;
 	const unsigned char *p;
-	unsigned char *to,*s;
+	unsigned char *s;
 	long len;
 	int inf,tag,xclass;
 	int i;
@@ -308,7 +308,6 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
 		i=ERR_R_MALLOC_FAILURE;
 		goto err;
 		}
-	to=s;
 	ret->type=V_ASN1_INTEGER;
 	if(len) {
 		if ((*p == 0) && (len != 1))
diff --git a/src/lib/libssl/src/crypto/asn1/a_object.c b/src/lib/libssl/src/crypto/asn1/a_object.c
index e5fbe7cbb1..3978c9150d 100644
--- a/src/lib/libssl/src/crypto/asn1/a_object.c
+++ b/src/lib/libssl/src/crypto/asn1/a_object.c
@@ -139,7 +139,7 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
 				ASN1err(ASN1_F_A2D_ASN1_OBJECT,ASN1_R_INVALID_DIGIT);
 				goto err;
 				}
-			if (!use_bn && l > (ULONG_MAX / 10L))
+			if (!use_bn && l >= ((ULONG_MAX - 80) / 10L))
 				{
 				use_bn = 1;
 				if (!bl)
@@ -293,7 +293,7 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
 	/* Sanity check OID encoding: can't have leading 0x80 in
 	 * subidentifiers, see: X.690 8.19.2
 	 */
-	for (i = 0, p = *pp + 1; i < len - 1; i++, p++)
+	for (i = 0, p = *pp; i < len; i++, p++)
 		{
 		if (*p == 0x80 && (!i || !(p[-1] & 0x80)))
 			{
diff --git a/src/lib/libssl/src/crypto/asn1/a_strex.c b/src/lib/libssl/src/crypto/asn1/a_strex.c
index 7fc14d3296..264ebf2393 100644
--- a/src/lib/libssl/src/crypto/asn1/a_strex.c
+++ b/src/lib/libssl/src/crypto/asn1/a_strex.c
@@ -74,6 +74,11 @@
 
 #define CHARTYPE_BS_ESC		(ASN1_STRFLGS_ESC_2253 | CHARTYPE_FIRST_ESC_2253 | CHARTYPE_LAST_ESC_2253)
 
+#define ESC_FLAGS (ASN1_STRFLGS_ESC_2253 | \
+		  ASN1_STRFLGS_ESC_QUOTE | \
+		  ASN1_STRFLGS_ESC_CTRL | \
+		  ASN1_STRFLGS_ESC_MSB)
+
 
 /* Three IO functions for sending data to memory, a BIO and
  * and a FILE pointer.
@@ -148,6 +153,13 @@ static int do_esc_char(unsigned long c, unsigned char flags, char *do_quotes, ch
 		if(!io_ch(arg, tmphex, 3)) return -1;
 		return 3;
 	}
+	/* If we get this far and do any escaping at all must escape 
+	 * the escape character itself: backslash.
+	 */
+	if (chtmp == '\\' && flags & ESC_FLAGS) {
+		if(!io_ch(arg, "\\\\", 2)) return -1;
+		return 2;
+	}
 	if(!io_ch(arg, &chtmp, 1)) return -1;
 	return 1;
 }
@@ -292,11 +304,6 @@ static const signed char tag2nbyte[] = {
 	4, -1, 2		/* 28-30 */
 };
 
-#define ESC_FLAGS (ASN1_STRFLGS_ESC_2253 | \
-		  ASN1_STRFLGS_ESC_QUOTE | \
-		  ASN1_STRFLGS_ESC_CTRL | \
-		  ASN1_STRFLGS_ESC_MSB)
-
 /* This is the main function, print out an
  * ASN1_STRING taking note of various escape
  * and display options. Returns number of
diff --git a/src/lib/libssl/src/crypto/asn1/a_strnid.c b/src/lib/libssl/src/crypto/asn1/a_strnid.c
index 753021a7a2..2fc48c1551 100644
--- a/src/lib/libssl/src/crypto/asn1/a_strnid.c
+++ b/src/lib/libssl/src/crypto/asn1/a_strnid.c
@@ -95,7 +95,7 @@ unsigned long ASN1_STRING_get_default_mask(void)
  * default:   the default value, Printable, T61, BMP.
  */
 
-int ASN1_STRING_set_default_mask_asc(char *p)
+int ASN1_STRING_set_default_mask_asc(const char *p)
 {
 	unsigned long mask;
 	char *end;
diff --git a/src/lib/libssl/src/crypto/asn1/asn1.h b/src/lib/libssl/src/crypto/asn1/asn1.h
index f7718b5a94..59540e4e79 100644
--- a/src/lib/libssl/src/crypto/asn1/asn1.h
+++ b/src/lib/libssl/src/crypto/asn1/asn1.h
@@ -1067,7 +1067,7 @@ ASN1_STRING *ASN1_pack_string(void *obj, i2d_of_void *i2d,
 ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_OCTET_STRING **oct);
 
 void ASN1_STRING_set_default_mask(unsigned long mask);
-int ASN1_STRING_set_default_mask_asc(char *p);
+int ASN1_STRING_set_default_mask_asc(const char *p);
 unsigned long ASN1_STRING_get_default_mask(void);
 int ASN1_mbstring_copy(ASN1_STRING **out, const unsigned char *in, int len,
 					int inform, unsigned long mask);
diff --git a/src/lib/libssl/src/crypto/asn1/n_pkey.c b/src/lib/libssl/src/crypto/asn1/n_pkey.c
index 60bc437938..e7d0439062 100644
--- a/src/lib/libssl/src/crypto/asn1/n_pkey.c
+++ b/src/lib/libssl/src/crypto/asn1/n_pkey.c
@@ -242,7 +242,7 @@ RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length,
 		 int sgckey)
 	{
 	RSA *ret=NULL;
-	const unsigned char *p, *kp;
+	const unsigned char *p;
 	NETSCAPE_ENCRYPTED_PKEY *enckey = NULL;
 
 	p = *pp;
@@ -265,7 +265,6 @@ RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length,
 		ASN1err(ASN1_F_D2I_RSA_NET,ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM);
 		goto err;
 	}
-	kp = enckey->enckey->digest->data;
 	if (cb == NULL)
 		cb=EVP_read_pw_string;
 	if ((ret=d2i_RSA_NET_2(a, enckey->enckey->digest,cb, sgckey)) == NULL) goto err;
diff --git a/src/lib/libssl/src/crypto/asn1/t_crl.c b/src/lib/libssl/src/crypto/asn1/t_crl.c
index bdb244c015..ee5a687ce8 100644
--- a/src/lib/libssl/src/crypto/asn1/t_crl.c
+++ b/src/lib/libssl/src/crypto/asn1/t_crl.c
@@ -87,7 +87,7 @@ int X509_CRL_print(BIO *out, X509_CRL *x)
 	STACK_OF(X509_REVOKED) *rev;
 	X509_REVOKED *r;
 	long l;
-	int i, n;
+	int i;
 	char *p;
 
 	BIO_printf(out, "Certificate Revocation List (CRL):\n");
@@ -107,7 +107,6 @@ int X509_CRL_print(BIO *out, X509_CRL *x)
 	else BIO_printf(out,"NONE");
 	BIO_printf(out,"\n");
 
-	n=X509_CRL_get_ext_count(x);
 	X509V3_extensions_print(out, "CRL extensions",
 						x->crl->extensions, 0, 8);
 
diff --git a/src/lib/libssl/src/crypto/asn1/tasn_dec.c b/src/lib/libssl/src/crypto/asn1/tasn_dec.c
index 3bee439968..87d7dfdf5c 100644
--- a/src/lib/libssl/src/crypto/asn1/tasn_dec.c
+++ b/src/lib/libssl/src/crypto/asn1/tasn_dec.c
@@ -168,7 +168,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 	int i;
 	int otag;
 	int ret = 0;
-	ASN1_VALUE *pchval, **pchptr, *ptmpval;
+	ASN1_VALUE **pchptr, *ptmpval;
 	if (!pval)
 		return 0;
 	if (aux && aux->asn1_cb)
@@ -319,7 +319,6 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 			goto err;
 			}
 		/* CHOICE type, try each possibility in turn */
-		pchval = NULL;
 		p = *in;
 		for (i = 0, tt=it->templates; i < it->tcount; i++, tt++)
 			{
diff --git a/src/lib/libssl/src/crypto/asn1/x_name.c b/src/lib/libssl/src/crypto/asn1/x_name.c
index caa4409feb..49be08b4da 100644
--- a/src/lib/libssl/src/crypto/asn1/x_name.c
+++ b/src/lib/libssl/src/crypto/asn1/x_name.c
@@ -214,7 +214,9 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
 	*val = nm.a;
 	*in = p;
 	return ret;
-	err:
+err:
+        if (nm.x != NULL)
+		X509_NAME_free(nm.x);
 	ASN1err(ASN1_F_X509_NAME_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
 	return 0;
 }
@@ -464,7 +466,8 @@ static int asn1_string_canon(ASN1_STRING *out, ASN1_STRING *in)
 			}
 		else
 			{
-			*to++ = tolower(*from++);
+			*to++ = tolower(*from);
+			from++;
 			i++;
 			}
 		}
diff --git a/src/lib/libssl/src/crypto/asn1/x_x509.c b/src/lib/libssl/src/crypto/asn1/x_x509.c
index dafd3cc921..de3df9eb51 100644
--- a/src/lib/libssl/src/crypto/asn1/x_x509.c
+++ b/src/lib/libssl/src/crypto/asn1/x_x509.c
@@ -63,7 +63,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
-ASN1_SEQUENCE(X509_CINF) = {
+ASN1_SEQUENCE_enc(X509_CINF, enc, 0) = {
 	ASN1_EXP_OPT(X509_CINF, version, ASN1_INTEGER, 0),
 	ASN1_SIMPLE(X509_CINF, serialNumber, ASN1_INTEGER),
 	ASN1_SIMPLE(X509_CINF, signature, X509_ALGOR),
@@ -74,7 +74,7 @@ ASN1_SEQUENCE(X509_CINF) = {
 	ASN1_IMP_OPT(X509_CINF, issuerUID, ASN1_BIT_STRING, 1),
 	ASN1_IMP_OPT(X509_CINF, subjectUID, ASN1_BIT_STRING, 2),
 	ASN1_EXP_SEQUENCE_OF_OPT(X509_CINF, extensions, X509_EXTENSION, 3)
-} ASN1_SEQUENCE_END(X509_CINF)
+} ASN1_SEQUENCE_END_enc(X509_CINF, X509_CINF)
 
 IMPLEMENT_ASN1_FUNCTIONS(X509_CINF)
 /* X509 top level structure needs a bit of customisation */
diff --git a/src/lib/libssl/src/crypto/bio/b_sock.c b/src/lib/libssl/src/crypto/bio/b_sock.c
index 12b0a53a81..d47310d650 100644
--- a/src/lib/libssl/src/crypto/bio/b_sock.c
+++ b/src/lib/libssl/src/crypto/bio/b_sock.c
@@ -551,7 +551,30 @@ int BIO_socket_ioctl(int fd, long type, void *arg)
 #ifdef __DJGPP__
 	i=ioctlsocket(fd,type,(char *)arg);
 #else
-	i=ioctlsocket(fd,type,arg);
+# if defined(OPENSSL_SYS_VMS)
+	/* 2011-02-18 SMS.
+	 * VMS ioctl() can't tolerate a 64-bit "void *arg", but we
+	 * observe that all the consumers pass in an "unsigned long *",
+	 * so we arrange a local copy with a short pointer, and use
+	 * that, instead.
+	 */
+#  if __INITIAL_POINTER_SIZE == 64
+#   define ARG arg_32p
+#   pragma pointer_size save
+#   pragma pointer_size 32
+	unsigned long arg_32;
+	unsigned long *arg_32p;
+#   pragma pointer_size restore
+	arg_32p = &arg_32;
+	arg_32 = *((unsigned long *) arg);
+#  else /* __INITIAL_POINTER_SIZE == 64 */
+#   define ARG arg
+#  endif /* __INITIAL_POINTER_SIZE == 64 [else] */
+# else /* defined(OPENSSL_SYS_VMS) */
+#  define ARG arg
+# endif /* defined(OPENSSL_SYS_VMS) [else] */
+
+	i=ioctlsocket(fd,type,ARG);
 #endif /* __DJGPP__ */
 	if (i < 0)
 		SYSerr(SYS_F_IOCTLSOCKET,get_last_socket_error());
@@ -660,6 +683,7 @@ int BIO_get_accept_socket(char *host, int bind_mode)
 	 * note that commonly IPv6 wildchard socket can service
 	 * IPv4 connections just as well...  */
 	memset(&hint,0,sizeof(hint));
+	hint.ai_flags = AI_PASSIVE;
 	if (h)
 		{
 		if (strchr(h,':'))
@@ -672,7 +696,10 @@ int BIO_get_accept_socket(char *host, int bind_mode)
 #endif
 			}
 	    	else if (h[0]=='*' && h[1]=='\0')
+			{
+			hint.ai_family = AF_INET;
 			h=NULL;
+			}
 		}
 
 	if ((*p_getaddrinfo.f)(h,p,&hint,&res)) break;
diff --git a/src/lib/libssl/src/crypto/bio/bf_nbio.c b/src/lib/libssl/src/crypto/bio/bf_nbio.c
index c72a23c2e1..028616c064 100644
--- a/src/lib/libssl/src/crypto/bio/bf_nbio.c
+++ b/src/lib/libssl/src/crypto/bio/bf_nbio.c
@@ -125,7 +125,6 @@ static int nbiof_free(BIO *a)
 	
 static int nbiof_read(BIO *b, char *out, int outl)
 	{
-	NBIO_TEST *nt;
 	int ret=0;
 #if 1
 	int num;
@@ -134,7 +133,6 @@ static int nbiof_read(BIO *b, char *out, int outl)
 
 	if (out == NULL) return(0);
 	if (b->next_bio == NULL) return(0);
-	nt=(NBIO_TEST *)b->ptr;
 
 	BIO_clear_retry_flags(b);
 #if 1
diff --git a/src/lib/libssl/src/crypto/bio/bio_lib.c b/src/lib/libssl/src/crypto/bio/bio_lib.c
index 77f4de9c32..e12bc3a2ca 100644
--- a/src/lib/libssl/src/crypto/bio/bio_lib.c
+++ b/src/lib/libssl/src/crypto/bio/bio_lib.c
@@ -110,7 +110,7 @@ int BIO_set(BIO *bio, BIO_METHOD *method)
 
 int BIO_free(BIO *a)
 	{
-	int ret=0,i;
+	int i;
 
 	if (a == NULL) return(0);
 
@@ -133,7 +133,7 @@ int BIO_free(BIO *a)
 	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, a, &a->ex_data);
 
 	if ((a->method == NULL) || (a->method->destroy == NULL)) return(1);
-	ret=a->method->destroy(a);
+	a->method->destroy(a);
 	OPENSSL_free(a);
 	return(1);
 	}
diff --git a/src/lib/libssl/src/crypto/bio/bss_acpt.c b/src/lib/libssl/src/crypto/bio/bss_acpt.c
index 826f761143..5d49e1a72b 100644
--- a/src/lib/libssl/src/crypto/bio/bss_acpt.c
+++ b/src/lib/libssl/src/crypto/bio/bss_acpt.c
@@ -340,7 +340,6 @@ static int acpt_write(BIO *b, const char *in, int inl)
 
 static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr)
 	{
-	BIO *dbio;
 	int *ip;
 	long ret=1;
 	BIO_ACCEPT *data;
@@ -437,8 +436,8 @@ static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr)
 		ret=(long)data->bind_mode;
 		break;
 	case BIO_CTRL_DUP:
-		dbio=(BIO *)ptr;
-/*		if (data->param_port) EAY EAY
+/*		dbio=(BIO *)ptr;
+		if (data->param_port) EAY EAY
 			BIO_set_port(dbio,data->param_port);
 		if (data->param_hostname)
 			BIO_set_hostname(dbio,data->param_hostname);
diff --git a/src/lib/libssl/src/crypto/bio/bss_file.c b/src/lib/libssl/src/crypto/bio/bss_file.c
index 8bfa0bcd97..b954fe7ebc 100644
--- a/src/lib/libssl/src/crypto/bio/bss_file.c
+++ b/src/lib/libssl/src/crypto/bio/bss_file.c
@@ -123,6 +123,7 @@ BIO *BIO_new_file(const char *filename, const char *mode)
 
 #if defined(_WIN32) && defined(CP_UTF8)
 	int sz, len_0 = (int)strlen(filename)+1;
+	DWORD flags;
 
 	/*
 	 * Basically there are three cases to cover: a) filename is
@@ -136,17 +137,22 @@ BIO *BIO_new_file(const char *filename, const char *mode)
 	 * ERROR_NO_UNICODE_TRANSLATION, in which case we fall
 	 * back to fopen...
 	 */
-	if ((sz=MultiByteToWideChar(CP_UTF8,MB_ERR_INVALID_CHARS,
+	if ((sz=MultiByteToWideChar(CP_UTF8,(flags=MB_ERR_INVALID_CHARS),
+					filename,len_0,NULL,0))>0 ||
+	    (GetLastError()==ERROR_INVALID_FLAGS &&
+	     (sz=MultiByteToWideChar(CP_UTF8,(flags=0),
 					filename,len_0,NULL,0))>0)
+	   )
 		{
 		WCHAR  wmode[8];
 		WCHAR *wfilename = _alloca(sz*sizeof(WCHAR));
 
-		if (MultiByteToWideChar(CP_UTF8,MB_ERR_INVALID_CHARS,
+		if (MultiByteToWideChar(CP_UTF8,flags,
 					filename,len_0,wfilename,sz) &&
 		    MultiByteToWideChar(CP_UTF8,0,mode,strlen(mode)+1,
 			    		wmode,sizeof(wmode)/sizeof(wmode[0])) &&
-		    (file=_wfopen(wfilename,wmode))==NULL && errno==ENOENT
+		    (file=_wfopen(wfilename,wmode))==NULL &&
+		    (errno==ENOENT || errno==EBADF)
 		   )	/* UTF-8 decode succeeded, but no file, filename
 			 * could still have been locale-ized... */
 			file = fopen(filename,mode);
diff --git a/src/lib/libssl/src/crypto/bio/bss_log.c b/src/lib/libssl/src/crypto/bio/bss_log.c
index 7ead044b37..b7dce5c1a2 100644
--- a/src/lib/libssl/src/crypto/bio/bss_log.c
+++ b/src/lib/libssl/src/crypto/bio/bss_log.c
@@ -75,6 +75,15 @@
 #  include <descrip.h>
 #  include <lib$routines.h>
 #  include <starlet.h>
+/* Some compiler options may mask the declaration of "_malloc32". */
+#  if __INITIAL_POINTER_SIZE && defined _ANSI_C_SOURCE
+#    if __INITIAL_POINTER_SIZE == 64
+#      pragma pointer_size save
+#      pragma pointer_size 32
+    void * _malloc32  (__size_t);
+#      pragma pointer_size restore
+#    endif /* __INITIAL_POINTER_SIZE == 64 */
+#  endif /* __INITIAL_POINTER_SIZE && defined _ANSI_C_SOURCE */
 #elif defined(__ultrix)
 #  include <sys/syslog.h>
 #elif defined(OPENSSL_SYS_NETWARE)
@@ -300,7 +309,24 @@ static void xopenlog(BIO* bp, char* name, int level)
 static void xsyslog(BIO *bp, int priority, const char *string)
 {
 	struct dsc$descriptor_s opc_dsc;
+
+/* Arrange 32-bit pointer to opcdef buffer and malloc(), if needed. */
+#if __INITIAL_POINTER_SIZE == 64
+# pragma pointer_size save
+# pragma pointer_size 32
+# define OPCDEF_TYPE __char_ptr32
+# define OPCDEF_MALLOC _malloc32
+#else /* __INITIAL_POINTER_SIZE == 64 */
+# define OPCDEF_TYPE char *
+# define OPCDEF_MALLOC OPENSSL_malloc
+#endif /* __INITIAL_POINTER_SIZE == 64 [else] */
+
 	struct opcdef *opcdef_p;
+
+#if __INITIAL_POINTER_SIZE == 64
+# pragma pointer_size restore
+#endif /* __INITIAL_POINTER_SIZE == 64 */
+
 	char buf[10240];
 	unsigned int len;
         struct dsc$descriptor_s buf_dsc;
@@ -326,8 +352,8 @@ static void xsyslog(BIO *bp, int priority, const char *string)
 
 	lib$sys_fao(&fao_cmd, &len, &buf_dsc, priority_tag, string);
 
-	/* we know there's an 8 byte header.  That's documented */
-	opcdef_p = (struct opcdef *) OPENSSL_malloc(8 + len);
+	/* We know there's an 8-byte header.  That's documented. */
+	opcdef_p = OPCDEF_MALLOC( 8+ len);
 	opcdef_p->opc$b_ms_type = OPC$_RQ_RQST;
 	memcpy(opcdef_p->opc$z_ms_target_classes, &VMS_OPC_target, 3);
 	opcdef_p->opc$l_ms_rqstid = 0;
@@ -335,7 +361,7 @@ static void xsyslog(BIO *bp, int priority, const char *string)
 
 	opc_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
 	opc_dsc.dsc$b_class = DSC$K_CLASS_S;
-	opc_dsc.dsc$a_pointer = (char *)opcdef_p;
+	opc_dsc.dsc$a_pointer = (OPCDEF_TYPE) opcdef_p;
 	opc_dsc.dsc$w_length = len + 8;
 
 	sys$sndopr(opc_dsc, 0);
diff --git a/src/lib/libssl/src/crypto/bn/bn.h b/src/lib/libssl/src/crypto/bn/bn.h
index e484b7fc11..a0bc47837d 100644
--- a/src/lib/libssl/src/crypto/bn/bn.h
+++ b/src/lib/libssl/src/crypto/bn/bn.h
@@ -253,6 +253,24 @@ extern "C" {
 #define BN_HEX_FMT2	"%08X"
 #endif
 
+/* 2011-02-22 SMS.
+ * In various places, a size_t variable or a type cast to size_t was
+ * used to perform integer-only operations on pointers.  This failed on
+ * VMS with 64-bit pointers (CC /POINTER_SIZE = 64) because size_t is
+ * still only 32 bits.  What's needed in these cases is an integer type
+ * with the same size as a pointer, which size_t is not certain to be. 
+ * The only fix here is VMS-specific.
+ */
+#if defined(OPENSSL_SYS_VMS)
+# if __INITIAL_POINTER_SIZE == 64
+#  define PTR_SIZE_INT long long
+# else /* __INITIAL_POINTER_SIZE == 64 */
+#  define PTR_SIZE_INT int
+# endif /* __INITIAL_POINTER_SIZE == 64 [else] */
+#else /* defined(OPENSSL_SYS_VMS) */
+# define PTR_SIZE_INT size_t
+#endif /* defined(OPENSSL_SYS_VMS) [else] */
+
 #define BN_DEFAULT_BITS	1280
 
 #define BN_FLG_MALLOCED		0x01
diff --git a/src/lib/libssl/src/crypto/bn/bn_exp2.c b/src/lib/libssl/src/crypto/bn/bn_exp2.c
index b3f43cec8c..bd0c34b91b 100644
--- a/src/lib/libssl/src/crypto/bn/bn_exp2.c
+++ b/src/lib/libssl/src/crypto/bn/bn_exp2.c
@@ -301,7 +301,8 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
 			r_is_one = 0;
 			}
 		}
-	BN_from_montgomery(rr,r,mont,ctx);
+	if (!BN_from_montgomery(rr,r,mont,ctx))
+		goto err;
 	ret=1;
 err:
 	if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
diff --git a/src/lib/libssl/src/crypto/bn/bn_mont.c b/src/lib/libssl/src/crypto/bn/bn_mont.c
index 7224637ab3..1a866880f5 100644
--- a/src/lib/libssl/src/crypto/bn/bn_mont.c
+++ b/src/lib/libssl/src/crypto/bn/bn_mont.c
@@ -277,7 +277,7 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
 	m1|=m2;			/* (al!=ri) */
 	m1|=(0-(size_t)v);	/* (al!=ri || v) */
 	m1&=~m2;		/* (al!=ri || v) && !al>ri */
-	nrp=(BN_ULONG *)(((size_t)rp&~m1)|((size_t)ap&m1));
+	nrp=(BN_ULONG *)(((PTR_SIZE_INT)rp&~m1)|((PTR_SIZE_INT)ap&m1));
 	}
 
 	/* 'i<ri' is chosen to eliminate dependency on input data, even
diff --git a/src/lib/libssl/src/crypto/bn/bn_mul.c b/src/lib/libssl/src/crypto/bn/bn_mul.c
index a0e9ec3b46..12e5be80eb 100644
--- a/src/lib/libssl/src/crypto/bn/bn_mul.c
+++ b/src/lib/libssl/src/crypto/bn/bn_mul.c
@@ -551,7 +551,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
 	     int tna, int tnb, BN_ULONG *t)
 	{
 	int i,j,n2=n*2;
-	int c1,c2,neg,zero;
+	int c1,c2,neg;
 	BN_ULONG ln,lo,*p;
 
 # ifdef BN_COUNT
@@ -567,7 +567,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
 	/* r=(a[0]-a[1])*(b[1]-b[0]) */
 	c1=bn_cmp_part_words(a,&(a[n]),tna,n-tna);
 	c2=bn_cmp_part_words(&(b[n]),b,tnb,tnb-n);
-	zero=neg=0;
+	neg=0;
 	switch (c1*3+c2)
 		{
 	case -4:
@@ -575,7 +575,6 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
 		bn_sub_part_words(&(t[n]),b,      &(b[n]),tnb,n-tnb); /* - */
 		break;
 	case -3:
-		zero=1;
 		/* break; */
 	case -2:
 		bn_sub_part_words(t,      &(a[n]),a,      tna,tna-n); /* - */
@@ -585,7 +584,6 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
 	case -1:
 	case 0:
 	case 1:
-		zero=1;
 		/* break; */
 	case 2:
 		bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna); /* + */
@@ -593,7 +591,6 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
 		neg=1;
 		break;
 	case 3:
-		zero=1;
 		/* break; */
 	case 4:
 		bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna);
@@ -1012,7 +1009,6 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 		{
 		if (i >= -1 && i <= 1)
 			{
-			int sav_j =0;
 			/* Find out the power of two lower or equal
 			   to the longest of the two numbers */
 			if (i >= 0)
@@ -1023,7 +1019,6 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 				{
 				j = BN_num_bits_word((BN_ULONG)bl);
 				}
-			sav_j = j;
 			j = 1<<(j-1);
 			assert(j <= al || j <= bl);
 			k = j+j;
diff --git a/src/lib/libssl/src/crypto/comp/c_rle.c b/src/lib/libssl/src/crypto/comp/c_rle.c
index efd366fa22..18bceae51e 100644
--- a/src/lib/libssl/src/crypto/comp/c_rle.c
+++ b/src/lib/libssl/src/crypto/comp/c_rle.c
@@ -46,7 +46,7 @@ static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
 	{
 	int i;
 
-	if (olen < (ilen-1))
+	if (ilen == 0 || olen < (ilen-1))
 		{
 		/* ZZZZZZZZZZZZZZZZZZZZZZ */
 		return(-1);
@@ -59,4 +59,3 @@ static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
 		}
 	return(ilen-1);
 	}
-
diff --git a/src/lib/libssl/src/crypto/conf/conf_api.c b/src/lib/libssl/src/crypto/conf/conf_api.c
index 22617e5fa1..f5fcbb9f6b 100644
--- a/src/lib/libssl/src/crypto/conf/conf_api.c
+++ b/src/lib/libssl/src/crypto/conf/conf_api.c
@@ -64,6 +64,7 @@
 #endif
 
 #include <assert.h>
+#include <stdlib.h>
 #include <string.h>
 #include <openssl/conf.h>
 #include <openssl/conf_api.h>
@@ -285,7 +286,7 @@ CONF_VALUE *_CONF_new_section(CONF *conf, const char *section)
 	v->value=(char *)sk;
 	
 	vv=lh_CONF_VALUE_insert(conf->data,v);
-	assert(vv == NULL);
+	OPENSSL_assert(vv == NULL);
 	ok=1;
 err:
 	if (!ok)
diff --git a/src/lib/libssl/src/crypto/conf/conf_def.c b/src/lib/libssl/src/crypto/conf/conf_def.c
index 0b571b0394..cf951320af 100644
--- a/src/lib/libssl/src/crypto/conf/conf_def.c
+++ b/src/lib/libssl/src/crypto/conf/conf_def.c
@@ -213,13 +213,12 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
 	int bufnum=0,i,ii;
 	BUF_MEM *buff=NULL;
 	char *s,*p,*end;
-	int again,n;
+	int again;
 	long eline=0;
 	char btmp[DECIMAL_SIZE(eline)+1];
 	CONF_VALUE *v=NULL,*tv;
 	CONF_VALUE *sv=NULL;
 	char *section=NULL,*buf;
-	STACK_OF(CONF_VALUE) *section_sk=NULL,*ts;
 	char *start,*psection,*pname;
 	void *h = (void *)(conf->data);
 
@@ -250,7 +249,6 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
 					CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
 		goto err;
 		}
-	section_sk=(STACK_OF(CONF_VALUE) *)sv->value;
 
 	bufnum=0;
 	again=0;
@@ -309,7 +307,6 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
 		buf=buff->data;
 
 		clear_comments(conf, buf);
-		n=strlen(buf);
 		s=eat_ws(conf, buf);
 		if (IS_EOF(conf,*s)) continue; /* blank line */
 		if (*s == '[')
@@ -343,7 +340,6 @@ again:
 					CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
 				goto err;
 				}
-			section_sk=(STACK_OF(CONF_VALUE) *)sv->value;
 			continue;
 			}
 		else
@@ -406,13 +402,9 @@ again:
 					   CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
 					goto err;
 					}
-				ts=(STACK_OF(CONF_VALUE) *)tv->value;
 				}
 			else
-				{
 				tv=sv;
-				ts=section_sk;
-				}
 #if 1
 			if (_CONF_add_string(conf, tv, v) == 0)
 				{
@@ -465,9 +457,6 @@ err:
 
 static void clear_comments(CONF *conf, char *p)
 	{
-	char *to;
-
-	to=p;
 	for (;;)
 		{
 		if (IS_FCOMMENT(conf,*p))
diff --git a/src/lib/libssl/src/crypto/cryptlib.c b/src/lib/libssl/src/crypto/cryptlib.c
index b4449b86d6..24fe123e14 100644
--- a/src/lib/libssl/src/crypto/cryptlib.c
+++ b/src/lib/libssl/src/crypto/cryptlib.c
@@ -731,7 +731,6 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason,
 	case DLL_THREAD_ATTACH:
 		break;
 	case DLL_THREAD_DETACH:
-		ERR_remove_state(0);
 		break;
 	case DLL_PROCESS_DETACH:
 		break;
@@ -743,6 +742,16 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason,
 #if defined(_WIN32) && !defined(__CYGWIN__)
 #include <tchar.h>
 #include <signal.h>
+#ifdef __WATCOMC__
+#if defined(_UNICODE) || defined(__UNICODE__)
+#define _vsntprintf _vsnwprintf
+#else
+#define _vsntprintf _vsnprintf
+#endif
+#endif
+#ifdef _MSC_VER
+#define alloca _alloca
+#endif
 
 #if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333
 int OPENSSL_isservice(void)
@@ -773,11 +782,7 @@ int OPENSSL_isservice(void)
 
     if (len>512) return -1;		/* paranoia */
     len++,len&=~1;			/* paranoia */
-#ifdef _MSC_VER
-    name=(WCHAR *)_alloca(len+sizeof(WCHAR));
-#else
     name=(WCHAR *)alloca(len+sizeof(WCHAR));
-#endif
     if (!GetUserObjectInformationW (h,UOI_NAME,name,len,&len))
 	return -1;
 
@@ -822,11 +827,7 @@ void OPENSSL_showfatal (const char *fmta,...)
       size_t len_0=strlen(fmta)+1,i;
       WCHAR *fmtw;
 
-#ifdef _MSC_VER
-	fmtw = (WCHAR *)_alloca (len_0*sizeof(WCHAR));
-#else
-	fmtw = (WCHAR *)alloca (len_0*sizeof(WCHAR));
-#endif
+	fmtw = (WCHAR *)alloca(len_0*sizeof(WCHAR));
 	if (fmtw == NULL) { fmt=(const TCHAR *)L"no stack?"; break; }
 
 #ifndef OPENSSL_NO_MULTIBYTE
diff --git a/src/lib/libssl/src/crypto/crypto-lib.com b/src/lib/libssl/src/crypto/crypto-lib.com
index a4b6635091..a29c0afd93 100644
--- a/src/lib/libssl/src/crypto/crypto-lib.com
+++ b/src/lib/libssl/src/crypto/crypto-lib.com
@@ -47,11 +47,33 @@ $!  P6, if defined, sets a choice of crypto methods to compile.
 $!  WARNING: this should only be done to recompile some part of an already
 $!  fully compiled library.
 $!
+$!  P7, if defined, specifies the C pointer size.  Ignored on VAX.
+$!      ("64=ARGV" gives more efficient code with HP C V7.3 or newer.)
+$!      Supported values are:
+$!
+$!      ""       Compile with default (/NOPOINTER_SIZE)
+$!      32       Compile with /POINTER_SIZE=32 (SHORT)
+$!      64       Compile with /POINTER_SIZE=64[=ARGV] (LONG[=ARGV]).
+$!               (Automatically select ARGV if compiler supports it.)
+$!      64=      Compile with /POINTER_SIZE=64 (LONG).
+$!      64=ARGV  Compile with /POINTER_SIZE=64=ARGV (LONG=ARGV).
+$!
+$!  P8, if defined, specifies a directory where ZLIB files (zlib.h,
+$!  libz.olb) may be found.  Optionally, a non-default object library
+$!  name may be included ("dev:[dir]libz_64.olb", for example).
+$!
+$!
+$! Announce/identify.
+$!
+$ proc = f$environment( "procedure")
+$ write sys$output "@@@ "+ -
+   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
 $!
 $! Define A TCP/IP Library That We Will Need To Link To.
 $! (That Is, If We Need To Link To One.)
 $!
 $ TCPIP_LIB = ""
+$ ZLIB_LIB = ""
 $!
 $! Check Which Architecture We Are Using.
 $!
@@ -75,6 +97,11 @@ $! End The Architecture Check.
 $!
 $ ENDIF
 $!
+$ ARCHD = ARCH
+$ LIB32 = "32"
+$ OPT_FILE = ""
+$ POINTER_SIZE = ""
+$!
 $! Define The Different Encryption Types.
 $! NOTE: Some might think this list ugly.  However, it's made this way to
 $! reflect the SDIRS variable in [-]Makefile.org as closely as possible,
@@ -91,17 +118,29 @@ $ ENCRYPT_TYPES = "Basic,"+ -
 		  "EVP,EVP_2,EVP_3,ASN1,ASN1_2,PEM,X509,X509V3,"+ -
 		  "CONF,TXT_DB,PKCS7,PKCS12,COMP,OCSP,UI,KRB5,"+ -
 		  "STORE,CMS,PQUEUE,TS,JPAKE"
-$! Define The OBJ Directory.
 $!
-$ OBJ_DIR := SYS$DISK:[-.'ARCH'.OBJ.CRYPTO]
+$! Check To Make Sure We Have Valid Command Line Parameters.
+$!
+$ GOSUB CHECK_OPTIONS
 $!
-$! Define The EXE Directory.
+$! Define The OBJ and EXE Directories.
 $!
-$ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.CRYPTO]
+$ OBJ_DIR := SYS$DISK:[-.'ARCHD'.OBJ.CRYPTO]
+$ EXE_DIR := SYS$DISK:[-.'ARCHD'.EXE.CRYPTO]
 $!
-$! Check To Make Sure We Have Valid Command Line Parameters.
+$! Specify the destination directory in any /MAP option.
 $!
-$ GOSUB CHECK_OPTIONS
+$ if (LINKMAP .eqs. "MAP")
+$ then
+$   LINKMAP = LINKMAP+ "=''EXE_DIR'"
+$ endif
+$!
+$! Add the location prefix to the linker options file name.
+$!
+$ if (OPT_FILE .nes. "")
+$ then
+$   OPT_FILE = EXE_DIR+ OPT_FILE
+$ endif
 $!
 $! Initialise logical names and such
 $!
@@ -109,7 +148,7 @@ $ GOSUB INITIALISE
 $!
 $! Tell The User What Kind of Machine We Run On.
 $!
-$ WRITE SYS$OUTPUT "Compiling On A ",ARCH," Machine."
+$ WRITE SYS$OUTPUT "Host system architecture: ''ARCHD'"
 $!
 $!
 $! Check To See If The Architecture Specific OBJ Directory Exists.
@@ -140,11 +179,11 @@ $ ENDIF
 $!
 $! Define The Library Name.
 $!
-$ LIB_NAME := 'EXE_DIR'LIBCRYPTO.OLB
+$ LIB_NAME := 'EXE_DIR'SSL_LIBCRYPTO'LIB32'.OLB
 $!
 $! Define The CRYPTO-LIB We Are To Use.
 $!
-$ CRYPTO_LIB := 'EXE_DIR'LIBCRYPTO.OLB
+$ CRYPTO_LIB := 'EXE_DIR'SSL_LIBCRYPTO'LIB32'.OLB
 $!
 $! Check To See If We Already Have A "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" Library...
 $!
@@ -193,7 +232,7 @@ $ LIB_CAST = "c_skey,c_ecb,c_enc,c_cfb64,c_ofb64"
 $ LIB_CAMELLIA = "camellia,cmll_misc,cmll_ecb,cmll_cbc,cmll_ofb,"+ -
 	"cmll_cfb,cmll_ctr"
 $ LIB_SEED = "seed,seed_ecb,seed_cbc,seed_cfb,seed_ofb"
-$ LIB_MODES = "cbc128,ctr128,cfb128,ofb128"
+$ LIB_MODES = "cbc128,ctr128,cts128,cfb128,ofb128"
 $ LIB_BN_ASM = "[.asm]vms.mar,vms-helper"
 $ IF F$TRNLNM("OPENSSL_NO_ASM") .OR. ARCH .NES. "VAX" THEN -
      LIB_BN_ASM = "bn_asm"
@@ -301,15 +340,23 @@ $ LIB_JPAKE = "jpake,jpake_err"
 $!
 $! Setup exceptional compilations
 $!
-$ ! Add definitions for no threads on OpenVMS 7.1 and higher
+$ CC3_SHOWN = 0
+$ CC4_SHOWN = 0
+$ CC5_SHOWN = 0
+$ CC6_SHOWN = 0
+$!
+$! The following lists must have leading and trailing commas, and no
+$! embedded spaces.  (They are scanned for ",name,".)
+$!
+$ ! Add definitions for no threads on OpenVMS 7.1 and higher.
 $ COMPILEWITH_CC3 = ",bss_rtcp,"
-$ ! Disable the DOLLARID warning
-$ COMPILEWITH_CC4 = ",a_utctm,bss_log,o_time,o_dir"
-$ ! Disable disjoint optimization
+$ ! Disable the DOLLARID warning.  Not needed with /STANDARD=RELAXED.
+$ COMPILEWITH_CC4 = "" !!! ",a_utctm,bss_log,o_time,o_dir,"
+$ ! Disable disjoint optimization on VAX with DECC.
 $ COMPILEWITH_CC5 = ",md2_dgst,md4_dgst,md5_dgst,mdc2dgst," + -
                     "seed,sha_dgst,sha1dgst,rmd_dgst,bf_enc,"
-$ ! Disable the MIXLINKAGE warning
-$ COMPILEWITH_CC6 = ",enc_read,set_key,"
+$ ! Disable the MIXLINKAGE warning.
+$ COMPILEWITH_CC6 = "" !!! ",enc_read,set_key,"
 $!
 $! Figure Out What Other Modules We Are To Build.
 $!
@@ -515,31 +562,60 @@ $   WRITE SYS$OUTPUT "Compiling The ",FILE_NAME," File.  (",BUILDALL,",",STATE,"
 $ ENDIF
 $ IF (MODULE_NAME.NES."")
 $ THEN 
-$   WRITE SYS$OUTPUT "	",FILE_NAME,""
+$   WRITE SYS$OUTPUT "        ",FILE_NAME,""
 $ ENDIF
 $!
 $! Compile The File.
 $!
 $ ON ERROR THEN GOTO NEXT_FILE
-$ FILE_NAME0 = F$ELEMENT(0,".",FILE_NAME)
+$ FILE_NAME0 = ","+ F$ELEMENT(0,".",FILE_NAME)+ ","
 $ IF FILE_NAME - ".mar" .NES. FILE_NAME
 $ THEN
 $   MACRO/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
 $ ELSE
 $   IF COMPILEWITH_CC3 - FILE_NAME0 .NES. COMPILEWITH_CC3
 $   THEN
+$     write sys$output "        \Using special rule (3)"
+$     if (.not. CC3_SHOWN)
+$     then
+$       CC3_SHOWN = 1
+$       x = "    "+ CC3
+$       write /symbol sys$output x
+$     endif
 $     CC3/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
 $   ELSE
 $     IF COMPILEWITH_CC4 - FILE_NAME0 .NES. COMPILEWITH_CC4
 $     THEN
+$       write /symbol sys$output "        \Using special rule (4)"
+$       if (.not. CC4_SHOWN)
+$       then
+$         CC4_SHOWN = 1
+$         x = "    "+ CC4
+$         write /symbol sys$output x
+$       endif
 $       CC4/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
 $     ELSE
-$       IF COMPILEWITH_CC5 - FILE_NAME0 .NES. COMPILEWITH_CC5
+$       IF CC5_DIFFERENT .AND. -
+         (COMPILEWITH_CC5 - FILE_NAME0 .NES. COMPILEWITH_CC5)
 $       THEN
+$         write sys$output "        \Using special rule (5)"
+$         if (.not. CC5_SHOWN)
+$         then
+$           CC5_SHOWN = 1
+$           x = "    "+ CC5
+$           write /symbol sys$output x
+$         endif
 $         CC5/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
 $       ELSE
 $         IF COMPILEWITH_CC6 - FILE_NAME0 .NES. COMPILEWITH_CC6
 $         THEN
+$           write sys$output "        \Using special rule (6)"
+$           if (.not. CC6_SHOWN)
+$           then
+$             CC6_SHOWN = 1
+$             x = "    "+ CC6
+$             write /symbol sys$output x
+$           endif
 $           CC6/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
 $         ELSE
 $           CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
@@ -586,38 +662,22 @@ $!   SHOW SYMBOL APPLICATION*
 $!
 $! Tell the user what happens
 $!
-$   WRITE SYS$OUTPUT "	",APPLICATION,".exe"
+$   WRITE SYS$OUTPUT "        ",APPLICATION,".exe"
 $!
 $! Link The Program.
 $!
 $   ON ERROR THEN GOTO NEXT_APPLICATION
 $!
-$! Check To See If We Are To Link With A Specific TCP/IP Library.
+$!  Link With A TCP/IP Library.
 $!
-$   IF (TCPIP_LIB.NES."")
-$   THEN
+$   LINK /'DEBUGGER' /'LINKMAP' /'TRACEBACK' -
+     /EXE='EXE_DIR''APPLICATION'.EXE -
+     'OBJ_DIR''APPLICATION_OBJECTS', -
+     'CRYPTO_LIB'/LIBRARY -
+     'TCPIP_LIB' -
+     'ZLIB_LIB' -
+     ,'OPT_FILE' /OPTIONS
 $!
-$!    Link With A TCP/IP Library.
-$!
-$     LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
-          'OBJ_DIR''APPLICATION_OBJECTS', -
-	  'CRYPTO_LIB'/LIBRARY, -
-          'TCPIP_LIB','OPT_FILE'/OPTION
-$!
-$! Else...
-$!
-$   ELSE
-$!
-$!    Don't Link With A TCP/IP Library.
-$!
-$     LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
-          'OBJ_DIR''APPLICATION_OBJECTS',-
-	  'CRYPTO_LIB'/LIBRARY, -
-          'OPT_FILE'/OPTION
-$!
-$! End The TCP/IP Library Check.
-$!
-$   ENDIF
 $   GOTO NEXT_APPLICATION
 $  APPLICATION_DONE:
 $ ENDIF
@@ -656,7 +716,7 @@ $!
 $     CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File To Link Agianst 
+! Default System Options File To Link Against 
 ! The Sharable VAX C Runtime Library.
 !
 SYS$SHARE:VAXCRTL.EXE/SHARE
@@ -685,7 +745,7 @@ $!
 $     CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File To Link Agianst 
+! Default System Options File To Link Against 
 ! The Sharable C Runtime Library.
 !
 GNU_CC:[000000]GCCLIB/LIBRARY
@@ -720,7 +780,7 @@ $!
 $       CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File To Link Agianst 
+! Default System Options File To Link Against 
 ! The Sharable DEC C Runtime Library.
 !
 SYS$SHARE:DECC$SHR.EXE/SHARE
@@ -735,7 +795,7 @@ $!
 $       CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File For non-VAX To Link Agianst 
+! Default System Options File For non-VAX To Link Against 
 ! The Sharable C Runtime Library.
 !
 SYS$SHARE:CMA$OPEN_LIB_SHR/SHARE
@@ -756,7 +816,7 @@ $ ENDIF
 $!
 $!  Tell The User What Linker Option File We Are Using.
 $!
-$ WRITE SYS$OUTPUT "Using Linker Option File ",OPT_FILE,"."	
+$ WRITE SYS$OUTPUT "Using Linker Option File ",OPT_FILE,"."
 $!
 $! Time To RETURN.
 $!
@@ -803,8 +863,8 @@ $     WRITE SYS$OUTPUT "    APPS     :  To Compile Just The [.xxx.EXE.CRYPTO]*.E
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT " Where 'xxx' Stands For:"
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "    ALPHA    :  Alpha Architecture."
-$     WRITE SYS$OUTPUT "    IA64     :  IA64 Architecture."
+$     WRITE SYS$OUTPUT "    ALPHA[64]:  Alpha Architecture."
+$     WRITE SYS$OUTPUT "    IA64[64] :  IA64 Architecture."
 $     WRITE SYS$OUTPUT "    VAX      :  VAX Architecture."
 $     WRITE SYS$OUTPUT ""
 $!
@@ -825,15 +885,16 @@ $!
 $ IF (P2.EQS."NODEBUG")
 $ THEN
 $!
-$!   P2 Is NODEBUG, So Compile Without The Debugger Information.
+$!  P2 Is NODEBUG, So Compile Without The Debugger Information.
 $!
-$    DEBUGGER = "NODEBUG"
-$    TRACEBACK = "NOTRACEBACK" 
-$    GCC_OPTIMIZE = "OPTIMIZE"
-$    CC_OPTIMIZE = "OPTIMIZE"
-$    MACRO_OPTIMIZE = "OPTIMIZE"
-$    WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile."
-$    WRITE SYS$OUTPUT "Compiling With Compiler Optimization."
+$   DEBUGGER = "NODEBUG"
+$   LINKMAP = "NOMAP"
+$   TRACEBACK = "NOTRACEBACK" 
+$   GCC_OPTIMIZE = "OPTIMIZE"
+$   CC_OPTIMIZE = "OPTIMIZE"
+$   MACRO_OPTIMIZE = "OPTIMIZE"
+$   WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile."
+$   WRITE SYS$OUTPUT "Compiling With Compiler Optimization."
 $ ELSE
 $!
 $!  Check To See If We Are To Compile With Debugger Information.
@@ -844,6 +905,7 @@ $!
 $!    Compile With Debugger Information.
 $!
 $     DEBUGGER = "DEBUG"
+$     LINKMAP = "MAP"
 $     TRACEBACK = "TRACEBACK"
 $     GCC_OPTIMIZE = "NOOPTIMIZE"
 $     CC_OPTIMIZE = "NOOPTIMIZE"
@@ -852,7 +914,7 @@ $     WRITE SYS$OUTPUT "Debugger Information Will Be Produced During Compile."
 $     WRITE SYS$OUTPUT "Compiling Without Compiler Optimization."
 $   ELSE 
 $!
-$!    They Entered An Invalid Option..
+$!    They Entered An Invalid Option.
 $!
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
@@ -907,6 +969,60 @@ $! End The P5 Check.
 $!
 $ ENDIF
 $!
+$! Check P7 (POINTER_SIZE).
+$!
+$ IF (P7 .NES. "") .AND. (ARCH .NES. "VAX")
+$ THEN
+$!
+$   IF (P7 .EQS. "32")
+$   THEN
+$     POINTER_SIZE = " /POINTER_SIZE=32"
+$   ELSE
+$     POINTER_SIZE = F$EDIT( P7, "COLLAPSE, UPCASE")
+$     IF ((POINTER_SIZE .EQS. "64") .OR. -
+       (POINTER_SIZE .EQS. "64=") .OR. -
+       (POINTER_SIZE .EQS. "64=ARGV"))
+$     THEN
+$       ARCHD = ARCH+ "_64"
+$       LIB32 = ""
+$       POINTER_SIZE = " /POINTER_SIZE=64"
+$     ELSE
+$!
+$!      Tell The User Entered An Invalid Option.
+$!
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "The Option ", P7, -
+         " Is Invalid.  The Valid Options Are:"
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT -
+         "    """"       :  Compile with default (short) pointers."
+$       WRITE SYS$OUTPUT -
+         "    32       :  Compile with 32-bit (short) pointers."
+$       WRITE SYS$OUTPUT -
+         "    64       :  Compile with 64-bit (long) pointers (auto ARGV)."
+$       WRITE SYS$OUTPUT -
+         "    64=      :  Compile with 64-bit (long) pointers (no ARGV)."
+$       WRITE SYS$OUTPUT -
+         "    64=ARGV  :  Compile with 64-bit (long) pointers (ARGV)."
+$       WRITE SYS$OUTPUT ""
+$! 
+$!      Time To EXIT.
+$!
+$       EXIT
+$!
+$     ENDIF
+$!
+$   ENDIF
+$!
+$! End The P7 (POINTER_SIZE) Check.
+$!
+$ ENDIF
+$!
+$! Set basic C compiler /INCLUDE directories.
+$!
+$ CC_INCLUDES = "SYS$DISK:[.''ARCHD'],SYS$DISK:[],SYS$DISK:[-],"+ -
+   "SYS$DISK:[.ENGINE.VENDOR_DEFNS],SYS$DISK:[.EVP],SYS$DISK:[.ASN1]"
+$!
 $! Check To See If P3 Is Blank.
 $!
 $ IF (P3.EQS."")
@@ -1007,11 +1123,64 @@ $ CCDEFS = "TCPIP_TYPE_''P4',DSO_VMS"
 $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
-$ CCDISABLEWARNINGS = "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
+$ CCDISABLEWARNINGS = "" !!! "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
 $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
 	CCDISABLEWARNINGS = CCDISABLEWARNINGS + "," + USER_CCDISABLEWARNINGS
 $!
-$!  Check To See If The User Entered A Valid Paramter.
+$! Check To See If We Have A ZLIB Option.
+$!
+$ ZLIB = P8
+$ IF (ZLIB .NES. "")
+$ THEN
+$!
+$!  Check for expected ZLIB files.
+$!
+$   err = 0
+$   file1 = f$parse( "zlib.h", ZLIB, , , "SYNTAX_ONLY")
+$   if (f$search( file1) .eqs. "")
+$   then
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ", ZLIB, " Is Invalid."
+$     WRITE SYS$OUTPUT "    Can't find header: ''file1'"
+$     err = 1
+$   endif
+$   file1 = f$parse( "A.;", ZLIB)- "A.;"
+$!
+$   file2 = f$parse( ZLIB, "libz.olb", , , "SYNTAX_ONLY")
+$   if (f$search( file2) .eqs. "")
+$   then
+$     if (err .eq. 0)
+$     then
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "The Option ", ZLIB, " Is Invalid."
+$     endif
+$     WRITE SYS$OUTPUT "    Can't find library: ''file2'"
+$     WRITE SYS$OUTPUT ""
+$     err = err+ 2
+$   endif
+$   if (err .eq. 1)
+$   then
+$     WRITE SYS$OUTPUT ""
+$   endif
+$!
+$   if (err .ne. 0)
+$   then
+$     EXIT
+$   endif
+$!
+$   CCDEFS = """ZLIB=1"", "+ CCDEFS
+$   CC_INCLUDES = CC_INCLUDES+ ", "+ file1
+$   ZLIB_LIB = ", ''file2' /library"
+$!
+$!  Print info
+$!
+$   WRITE SYS$OUTPUT "ZLIB library spec: ", file2
+$!
+$! End The ZLIB Check.
+$!
+$ ENDIF
+$!
+$!  Check To See If The User Entered A Valid Parameter.
 $!
 $ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC")
 $ THEN
@@ -1034,14 +1203,14 @@ $!
 $     CC = "CC"
 $     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
 	 THEN CC = "CC/DECC"
-$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
-           "/NOLIST/PREFIX=ALL" + -
-	   "/INCLUDE=(SYS$DISK:[],SYS$DISK:[._''ARCH'],SYS$DISK:[-],SYS$DISK:[.ENGINE.VENDOR_DEFNS],SYS$DISK:[.EVP],SYS$DISK:[.ASN1])" + -
-	   CCEXTRAFLAGS
+$     CC = CC + " /''CC_OPTIMIZE' /''DEBUGGER' /STANDARD=RELAXED"+ -
+       "''POINTER_SIZE' /NOLIST /PREFIX=ALL" + -
+       " /INCLUDE=(''CC_INCLUDES')"+ -
+       CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
-$     OPT_FILE = "''EXE_DIR'VAX_DECC_OPTIONS.OPT"
+$     OPT_FILE = "VAX_DECC_OPTIONS.OPT"
 $!
 $!  End DECC Check.
 $!
@@ -1070,7 +1239,7 @@ $	EXIT
 $     ENDIF
 $     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-	   "/INCLUDE=(SYS$DISK:[],SYS$DISK:[._''ARCH'],SYS$DISK:[-],SYS$DISK:[.ENGINE.VENDOR_DEFNS],SYS$DISK:[.EVP],SYS$DISK:[.ASN1])" + -
+       "/INCLUDE=(''CC_INCLUDES')"+ -
 	   CCEXTRAFLAGS
 $     CCDEFS = """VAXC""," + CCDEFS
 $!
@@ -1080,7 +1249,7 @@ $     DEFINE/NOLOG SYS SYS$COMMON:[SYSLIB]
 $!
 $!    Define The Linker Options File Name.
 $!
-$     OPT_FILE = "''EXE_DIR'VAX_VAXC_OPTIONS.OPT"
+$     OPT_FILE = "VAX_VAXC_OPTIONS.OPT"
 $!
 $!  End VAXC Check
 $!
@@ -1102,12 +1271,12 @@ $!
 $!    Use GNU C...
 $!
 $     CC = "GCC/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-	   "/INCLUDE=(SYS$DISK:[],SYS$DISK:[._''ARCH'],SYS$DISK:[-],SYS$DISK:[.ENGINE.VENDOR_DEFNS],SYS$DISK:[.EVP],SYS$DISK:[.ASN1])" + -
+       "/INCLUDE=(''CC_INCLUDES')"+ -
 	   CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
-$     OPT_FILE = "''EXE_DIR'VAX_GNUC_OPTIONS.OPT"
+$     OPT_FILE = "VAX_GNUC_OPTIONS.OPT"
 $!
 $!  End The GNU C Check.
 $!
@@ -1128,22 +1297,24 @@ $       CC6DISABLEWARNINGS = "MIXLINKAGE"
 $     ELSE
 $       CC4DISABLEWARNINGS = CCDISABLEWARNINGS + ",DOLLARID"
 $       CC6DISABLEWARNINGS = CCDISABLEWARNINGS + ",MIXLINKAGE"
-$       CCDISABLEWARNINGS = "/WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
+$       CCDISABLEWARNINGS = " /WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
 $     ENDIF
-$     CC4DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))"
-$     CC6DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC6DISABLEWARNINGS + "))"
+$     CC4DISABLEWARNINGS = " /WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))"
+$     CC6DISABLEWARNINGS = " /WARNING=(DISABLE=(" + CC6DISABLEWARNINGS + "))"
 $   ELSE
 $     CCDISABLEWARNINGS = ""
 $     CC4DISABLEWARNINGS = ""
 $     CC6DISABLEWARNINGS = ""
 $   ENDIF
-$   CC3 = CC + "/DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS
-$   CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
+$   CC3 = CC + " /DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS
+$   CC = CC + " /DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
 $   IF ARCH .EQS. "VAX" .AND. COMPILER .EQS. "DECC" .AND. P2 .NES. "DEBUG"
 $   THEN
-$     CC5 = CC + "/OPTIMIZE=NODISJOINT"
+$     CC5 = CC + " /OPTIMIZE=NODISJOINT"
+$     CC5_DIFFERENT = 1
 $   ELSE
-$     CC5 = CC + "/NOOPTIMIZE"
+$     CC5 = CC
+$     CC5_DIFFERENT = 0
 $   ENDIF
 $   CC4 = CC - CCDISABLEWARNINGS + CC4DISABLEWARNINGS
 $   CC6 = CC - CCDISABLEWARNINGS + CC6DISABLEWARNINGS
@@ -1196,7 +1367,7 @@ $   THEN
 $!
 $!    Set the library to use SOCKETSHR
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT/OPT"
+$     TCPIP_LIB = ",SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT /OPTIONS"
 $!
 $!    Done with SOCKETSHR
 $!
@@ -1222,13 +1393,13 @@ $   THEN
 $!
 $!    Set the library to use UCX.
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT/OPT"
+$     TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT /OPTIONS"
 $     IF F$TRNLNM("UCX$IPC_SHR") .NES. ""
 $     THEN
-$       TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
+$       TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT /OPTIONS"
 $     ELSE
 $       IF COMPILER .NES. "DECC" .AND. ARCH .EQS. "VAX" THEN -
-	  TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT/OPT"
+	  TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT /OPTIONS"
 $     ENDIF
 $!
 $!    Done with UCX
@@ -1242,7 +1413,7 @@ $   THEN
 $!
 $!    Set the library to use TCPIP (post UCX).
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT/OPT"
+$     TCPIP_LIB = ",SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT /OPTIONS"
 $!
 $!    Done with TCPIP
 $!
@@ -1263,7 +1434,7 @@ $   ENDIF
 $!
 $!  Print info
 $!
-$   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB
+$   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB- ","
 $!
 $!  Else The User Entered An Invalid Argument.
 $!
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_gen.c b/src/lib/libssl/src/crypto/dsa/dsa_gen.c
index 0fcd25f8b0..cb0b4538a4 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_gen.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_gen.c
@@ -120,7 +120,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
 	BIGNUM *r0,*W,*X,*c,*test;
 	BIGNUM *g=NULL,*q=NULL,*p=NULL;
 	BN_MONT_CTX *mont=NULL;
-	int i, k,n=0,b,m=0, qsize = qbits >> 3;
+	int i, k, n=0, m=0, qsize = qbits >> 3;
 	int counter=0;
 	int r=0;
 	BN_CTX *ctx=NULL;
@@ -232,7 +232,6 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
 		/* "offset = 2" */
 
 		n=(bits-1)/160;
-		b=(bits-1)-n*160;
 
 		for (;;)
 			{
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
index 4fead07e80..a3ddd7d281 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
@@ -148,15 +148,6 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 
 	s=BN_new();
 	if (s == NULL) goto err;
-
-	/* reject a excessive digest length (currently at most
-	 * dsa-with-SHA256 is supported) */
-	if (dlen > SHA256_DIGEST_LENGTH)
-		{
-		reason=DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE;
-		goto err;
-		}
-
 	ctx=BN_CTX_new();
 	if (ctx == NULL) goto err;
 
@@ -185,7 +176,7 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 	if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */
 	if (!BN_add(s, &xr, &m)) goto err;		/* s = m + xr */
 	if (BN_cmp(s,dsa->q) > 0)
-		BN_sub(s,s,dsa->q);
+		if (!BN_sub(s,s,dsa->q)) goto err;
 	if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;
 
 	ret=DSA_SIG_new();
@@ -325,15 +316,6 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 		DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
 		return -1;
 		}
-
-	/* reject a excessive digest length (currently at most
-	 * dsa-with-SHA256 is supported) */
-	if (dgst_len > SHA256_DIGEST_LENGTH)
-		{
-		DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
-		return -1;
-		}
-
 	BN_init(&u1);
 	BN_init(&u2);
 	BN_init(&t1);
diff --git a/src/lib/libssl/src/crypto/dso/dso_dlfcn.c b/src/lib/libssl/src/crypto/dso/dso_dlfcn.c
index 14bd322fb8..c2bc61760b 100644
--- a/src/lib/libssl/src/crypto/dso/dso_dlfcn.c
+++ b/src/lib/libssl/src/crypto/dso/dso_dlfcn.c
@@ -85,6 +85,7 @@ DSO_METHOD *DSO_METHOD_dlfcn(void)
 # define HAVE_DLINFO 1
 # if defined(_AIX) || defined(__CYGWIN__) || \
      defined(__SCO_VERSION__) || defined(_SCO_ELF) || \
+     (defined(__osf__) && !defined(RTLD_NEXT))     || \
      (defined(__OpenBSD__) && !defined(RTLD_SELF))
 #  undef HAVE_DLINFO
 # endif
diff --git a/src/lib/libssl/src/crypto/dso/dso_vms.c b/src/lib/libssl/src/crypto/dso/dso_vms.c
index 321512772a..eee20d14f1 100644
--- a/src/lib/libssl/src/crypto/dso/dso_vms.c
+++ b/src/lib/libssl/src/crypto/dso/dso_vms.c
@@ -68,8 +68,20 @@
 #include <stsdef.h>
 #include <descrip.h>
 #include <starlet.h>
+#include "vms_rms.h"
 #endif
 
+/* Some compiler options may mask the declaration of "_malloc32". */
+#if __INITIAL_POINTER_SIZE && defined _ANSI_C_SOURCE
+# if __INITIAL_POINTER_SIZE == 64
+#  pragma pointer_size save
+#  pragma pointer_size 32
+    void * _malloc32  (__size_t);
+#  pragma pointer_size restore
+# endif /* __INITIAL_POINTER_SIZE == 64 */
+#endif /* __INITIAL_POINTER_SIZE && defined _ANSI_C_SOURCE */
+
+
 #ifndef OPENSSL_SYS_VMS
 DSO_METHOD *DSO_METHOD_vms(void)
 	{
@@ -121,14 +133,13 @@ typedef struct dso_internal_st
 	/* This should contain the name only, no directory,
 	 * no extension, nothing but a name. */
 	struct dsc$descriptor_s filename_dsc;
-	char filename[FILENAME_MAX+1];
+	char filename[ NAMX_MAXRSS+ 1];
 	/* This contains whatever is not in filename, if needed.
 	 * Normally not defined. */
 	struct dsc$descriptor_s imagename_dsc;
-	char imagename[FILENAME_MAX+1];
+	char imagename[ NAMX_MAXRSS+ 1];
 	} DSO_VMS_INTERNAL;
 
-
 DSO_METHOD *DSO_METHOD_vms(void)
 	{
 	return(&dso_meth_vms);
@@ -139,7 +150,22 @@ static int vms_load(DSO *dso)
 	void *ptr = NULL;
 	/* See applicable comments in dso_dl.c */
 	char *filename = DSO_convert_filename(dso, NULL);
-	DSO_VMS_INTERNAL *p;
+
+/* Ensure 32-bit pointer for "p", and appropriate malloc() function. */
+#if __INITIAL_POINTER_SIZE == 64
+# define DSO_MALLOC _malloc32
+# pragma pointer_size save
+# pragma pointer_size 32
+#else /* __INITIAL_POINTER_SIZE == 64 */
+# define DSO_MALLOC OPENSSL_malloc
+#endif /* __INITIAL_POINTER_SIZE == 64 [else] */
+
+	DSO_VMS_INTERNAL *p = NULL;
+
+#if __INITIAL_POINTER_SIZE == 64
+# pragma pointer_size restore
+#endif /* __INITIAL_POINTER_SIZE == 64 */
+
 	const char *sp1, *sp2;	/* Search result */
 
 	if(filename == NULL)
@@ -192,7 +218,7 @@ static int vms_load(DSO *dso)
 		goto err;
 		}
 
-	p = (DSO_VMS_INTERNAL *)OPENSSL_malloc(sizeof(DSO_VMS_INTERNAL));
+	p = DSO_MALLOC(sizeof(DSO_VMS_INTERNAL));
 	if(p == NULL)
 		{
 		DSOerr(DSO_F_VMS_LOAD,ERR_R_MALLOC_FAILURE);
@@ -290,18 +316,38 @@ void vms_bind_sym(DSO *dso, const char *symname, void **sym)
 	int flags = 0;
 #endif
 	struct dsc$descriptor_s symname_dsc;
-	*sym = NULL;
 
-	symname_dsc.dsc$w_length = strlen(symname);
-	symname_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
-	symname_dsc.dsc$b_class = DSC$K_CLASS_S;
-	symname_dsc.dsc$a_pointer = (char *)symname; /* The cast is needed */
+/* Arrange 32-bit pointer to (copied) string storage, if needed. */
+#if __INITIAL_POINTER_SIZE == 64
+# define SYMNAME symname_32p
+# pragma pointer_size save
+# pragma pointer_size 32
+	char *symname_32p;
+# pragma pointer_size restore
+	char symname_32[ NAMX_MAXRSS+ 1];
+#else /* __INITIAL_POINTER_SIZE == 64 */
+# define SYMNAME ((char *) symname)
+#endif /* __INITIAL_POINTER_SIZE == 64 [else] */
+
+	*sym = NULL;
 
 	if((dso == NULL) || (symname == NULL))
 		{
 		DSOerr(DSO_F_VMS_BIND_SYM,ERR_R_PASSED_NULL_PARAMETER);
 		return;
 		}
+
+#if __INITIAL_POINTER_SIZE == 64
+	/* Copy the symbol name to storage with a 32-bit pointer. */
+	symname_32p = symname_32;
+	strcpy( symname_32p, symname);
+#endif /* __INITIAL_POINTER_SIZE == 64 [else] */
+
+	symname_dsc.dsc$w_length = strlen(SYMNAME);
+	symname_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
+	symname_dsc.dsc$b_class = DSC$K_CLASS_S;
+	symname_dsc.dsc$a_pointer = SYMNAME;
+
 	if(sk_void_num(dso->meth_data) < 1)
 		{
 		DSOerr(DSO_F_VMS_BIND_SYM,DSO_R_STACK_ERROR);
@@ -372,64 +418,60 @@ static DSO_FUNC_TYPE vms_bind_func(DSO *dso, const char *symname)
 	return sym;
 	}
 
+
 static char *vms_merger(DSO *dso, const char *filespec1, const char *filespec2)
 	{
 	int status;
 	int filespec1len, filespec2len;
 	struct FAB fab;
-#ifdef NAML$C_MAXRSS
-	struct NAML nam;
-	char esa[NAML$C_MAXRSS];
-#else
-	struct NAM nam;
-	char esa[NAM$C_MAXRSS];
-#endif
+	struct NAMX_STRUCT nam;
+	char esa[ NAMX_MAXRSS+ 1];
 	char *merged;
 
+/* Arrange 32-bit pointer to (copied) string storage, if needed. */
+#if __INITIAL_POINTER_SIZE == 64
+# define FILESPEC1 filespec1_32p;
+# define FILESPEC2 filespec2_32p;
+# pragma pointer_size save
+# pragma pointer_size 32
+	char *filespec1_32p;
+	char *filespec2_32p;
+# pragma pointer_size restore
+	char filespec1_32[ NAMX_MAXRSS+ 1];
+	char filespec2_32[ NAMX_MAXRSS+ 1];
+#else /* __INITIAL_POINTER_SIZE == 64 */
+# define FILESPEC1 ((char *) filespec1)
+# define FILESPEC2 ((char *) filespec2)
+#endif /* __INITIAL_POINTER_SIZE == 64 [else] */
+
 	if (!filespec1) filespec1 = "";
 	if (!filespec2) filespec2 = "";
 	filespec1len = strlen(filespec1);
 	filespec2len = strlen(filespec2);
 
+#if __INITIAL_POINTER_SIZE == 64
+	/* Copy the file names to storage with a 32-bit pointer. */
+	filespec1_32p = filespec1_32;
+	filespec2_32p = filespec2_32;
+	strcpy( filespec1_32p, filespec1);
+	strcpy( filespec2_32p, filespec2);
+#endif /* __INITIAL_POINTER_SIZE == 64 [else] */
+
 	fab = cc$rms_fab;
-#ifdef NAML$C_MAXRSS
-	nam = cc$rms_naml;
-#else
-	nam = cc$rms_nam;
-#endif
+	nam = CC_RMS_NAMX;
 
-	fab.fab$l_fna = (char *)filespec1;
-	fab.fab$b_fns = filespec1len;
-	fab.fab$l_dna = (char *)filespec2;
-	fab.fab$b_dns = filespec2len;
-#ifdef NAML$C_MAXRSS
-	if (filespec1len > NAM$C_MAXRSS)
-		{
-		fab.fab$l_fna = 0;
-		fab.fab$b_fns = 0;
-		nam.naml$l_long_filename = (char *)filespec1;
-		nam.naml$l_long_filename_size = filespec1len;
-		}
-	if (filespec2len > NAM$C_MAXRSS)
-		{
-		fab.fab$l_dna = 0;
-		fab.fab$b_dns = 0;
-		nam.naml$l_long_defname = (char *)filespec2;
-		nam.naml$l_long_defname_size = filespec2len;
-		}
-	nam.naml$l_esa = esa;
-	nam.naml$b_ess = NAM$C_MAXRSS;
-	nam.naml$l_long_expand = esa;
-	nam.naml$l_long_expand_alloc = sizeof(esa);
-	nam.naml$b_nop = NAM$M_SYNCHK | NAM$M_PWD;
-	nam.naml$v_no_short_upcase = 1;
-	fab.fab$l_naml = &nam;
-#else
-	nam.nam$l_esa = esa;
-	nam.nam$b_ess = NAM$C_MAXRSS;
-	nam.nam$b_nop = NAM$M_SYNCHK | NAM$M_PWD;
-	fab.fab$l_nam = &nam;
-#endif
+	FAB_OR_NAML( fab, nam).FAB_OR_NAML_FNA = FILESPEC1;
+	FAB_OR_NAML( fab, nam).FAB_OR_NAML_FNS = filespec1len;
+	FAB_OR_NAML( fab, nam).FAB_OR_NAML_DNA = FILESPEC2;
+	FAB_OR_NAML( fab, nam).FAB_OR_NAML_DNS = filespec2len;
+	NAMX_DNA_FNA_SET( fab)
+
+	nam.NAMX_ESA = esa;
+	nam.NAMX_ESS = NAMX_MAXRSS;
+	nam.NAMX_NOP = NAM$M_SYNCHK | NAM$M_PWD;
+	SET_NAMX_NO_SHORT_UPCASE( nam);
+
+	fab.FAB_NAMX = &nam;
 
 	status = sys$parse(&fab, 0, 0);
 
@@ -460,33 +502,12 @@ static char *vms_merger(DSO *dso, const char *filespec1, const char *filespec2)
 			}
 		return(NULL);
 		}
-#ifdef NAML$C_MAXRSS
-	if (nam.naml$l_long_expand_size)
-		{
-		merged = OPENSSL_malloc(nam.naml$l_long_expand_size + 1);
-		if(!merged)
-			goto malloc_err;
-		strncpy(merged, nam.naml$l_long_expand,
-			nam.naml$l_long_expand_size);
-		merged[nam.naml$l_long_expand_size] = '\0';
-		}
-	else
-		{
-		merged = OPENSSL_malloc(nam.naml$b_esl + 1);
-		if(!merged)
-			goto malloc_err;
-		strncpy(merged, nam.naml$l_esa,
-			nam.naml$b_esl);
-		merged[nam.naml$b_esl] = '\0';
-		}
-#else
-	merged = OPENSSL_malloc(nam.nam$b_esl + 1);
+
+	merged = OPENSSL_malloc( nam.NAMX_ESL+ 1);
 	if(!merged)
 		goto malloc_err;
-	strncpy(merged, nam.nam$l_esa,
-		nam.nam$b_esl);
-	merged[nam.nam$b_esl] = '\0';
-#endif
+	strncpy( merged, nam.NAMX_ESA, nam.NAMX_ESL);
+	merged[ nam.NAMX_ESL] = '\0';
 	return(merged);
  malloc_err:
 	DSOerr(DSO_F_VMS_MERGER,
diff --git a/src/lib/libssl/src/crypto/ec/ec_mult.c b/src/lib/libssl/src/crypto/ec/ec_mult.c
index f05df5332e..19f21675fb 100644
--- a/src/lib/libssl/src/crypto/ec/ec_mult.c
+++ b/src/lib/libssl/src/crypto/ec/ec_mult.c
@@ -169,11 +169,13 @@ static void ec_pre_comp_clear_free(void *pre_)
 		EC_POINT **p;
 
 		for (p = pre->points; *p != NULL; p++)
+			{
 			EC_POINT_clear_free(*p);
-		OPENSSL_cleanse(pre->points, sizeof pre->points);
+			OPENSSL_cleanse(p, sizeof *p);
+			}
 		OPENSSL_free(pre->points);
 		}
-	OPENSSL_cleanse(pre, sizeof pre);
+	OPENSSL_cleanse(pre, sizeof *pre);
 	OPENSSL_free(pre);
 	}
 
diff --git a/src/lib/libssl/src/crypto/ec/ecp_smpl.c b/src/lib/libssl/src/crypto/ec/ecp_smpl.c
index 4d26f8bdf6..66a92e2a90 100644
--- a/src/lib/libssl/src/crypto/ec/ecp_smpl.c
+++ b/src/lib/libssl/src/crypto/ec/ecp_smpl.c
@@ -1406,6 +1406,9 @@ int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *
 		{
 		return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
 		}
+
+	if (EC_POINT_is_at_infinity(group, b))
+		return 1;
 	
 	if (a->Z_is_one && b->Z_is_one)
 		{
diff --git a/src/lib/libssl/src/crypto/engine/engine.h b/src/lib/libssl/src/crypto/engine/engine.h
index 7fbd95f634..943aeae215 100644
--- a/src/lib/libssl/src/crypto/engine/engine.h
+++ b/src/lib/libssl/src/crypto/engine/engine.h
@@ -677,6 +677,7 @@ typedef struct st_dynamic_fns {
  * can be fully instantiated with IMPLEMENT_DYNAMIC_CHECK_FN(). */
 typedef unsigned long (*dynamic_v_check_fn)(unsigned long ossl_version);
 #define IMPLEMENT_DYNAMIC_CHECK_FN() \
+	OPENSSL_EXPORT unsigned long v_check(unsigned long v); \
 	OPENSSL_EXPORT unsigned long v_check(unsigned long v) { \
 		if(v >= OSSL_DYNAMIC_OLDEST) return OSSL_DYNAMIC_VERSION; \
 		return 0; }
@@ -699,6 +700,8 @@ typedef unsigned long (*dynamic_v_check_fn)(unsigned long ossl_version);
 typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id,
 				const dynamic_fns *fns);
 #define IMPLEMENT_DYNAMIC_BIND_FN(fn) \
+	OPENSSL_EXPORT \
+	int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns); \
 	OPENSSL_EXPORT \
 	int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { \
 		if(ENGINE_get_static_state() == fns->static_state) goto skip_cbs; \
diff --git a/src/lib/libssl/src/crypto/evp/encode.c b/src/lib/libssl/src/crypto/evp/encode.c
index b42c747249..28546a84bc 100644
--- a/src/lib/libssl/src/crypto/evp/encode.c
+++ b/src/lib/libssl/src/crypto/evp/encode.c
@@ -235,7 +235,7 @@ void EVP_DecodeInit(EVP_ENCODE_CTX *ctx)
 int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
 	     const unsigned char *in, int inl)
 	{
-	int seof= -1,eof=0,rv= -1,ret=0,i,v,tmp,n,ln,tmp2,exp_nl;
+	int seof= -1,eof=0,rv= -1,ret=0,i,v,tmp,n,ln,exp_nl;
 	unsigned char *d;
 
 	n=ctx->num;
@@ -319,7 +319,6 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
 			 * lines.  We process the line and then need to
 			 * accept the '\n' */
 			if ((v != B64_EOF) && (n >= 64)) exp_nl=1;
-			tmp2=v;
 			if (n > 0)
 				{
 				v=EVP_DecodeBlock(out,d,n);
diff --git a/src/lib/libssl/src/crypto/evp/evp_enc.c b/src/lib/libssl/src/crypto/evp/evp_enc.c
index bead6a2170..c268d25cb4 100644
--- a/src/lib/libssl/src/crypto/evp/evp_enc.c
+++ b/src/lib/libssl/src/crypto/evp/evp_enc.c
@@ -204,6 +204,7 @@ skip_to_init:
 			case EVP_CIPH_OFB_MODE:
 
 			ctx->num = 0;
+			/* fall-through */
 
 			case EVP_CIPH_CBC_MODE:
 
diff --git a/src/lib/libssl/src/crypto/evp/evp_test.c b/src/lib/libssl/src/crypto/evp/evp_test.c
index 902efac975..55c7cdfdcc 100644
--- a/src/lib/libssl/src/crypto/evp/evp_test.c
+++ b/src/lib/libssl/src/crypto/evp/evp_test.c
@@ -435,6 +435,7 @@ int main(int argc,char **argv)
 	    EXIT(3);
 	    }
 	}
+	fclose(f);
 
 #ifndef OPENSSL_NO_ENGINE
     ENGINE_cleanup();
diff --git a/src/lib/libssl/src/crypto/evp/p_lib.c b/src/lib/libssl/src/crypto/evp/p_lib.c
index 1916c61699..e26ccd0d08 100644
--- a/src/lib/libssl/src/crypto/evp/p_lib.c
+++ b/src/lib/libssl/src/crypto/evp/p_lib.c
@@ -411,7 +411,10 @@ void EVP_PKEY_free(EVP_PKEY *x)
 static void EVP_PKEY_free_it(EVP_PKEY *x)
 	{
 	if (x->ameth && x->ameth->pkey_free)
+		{
 		x->ameth->pkey_free(x);
+		x->pkey.ptr = NULL;
+		}
 #ifndef OPENSSL_NO_ENGINE
 	if (x->engine)
 		{
diff --git a/src/lib/libssl/src/crypto/evp/p_sign.c b/src/lib/libssl/src/crypto/evp/p_sign.c
index 8df6d48a7e..bb893f5bde 100644
--- a/src/lib/libssl/src/crypto/evp/p_sign.c
+++ b/src/lib/libssl/src/crypto/evp/p_sign.c
@@ -81,7 +81,7 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, unsigned int *siglen,
 	unsigned char m[EVP_MAX_MD_SIZE];
 	unsigned int m_len;
 	int i,ok=0,v;
-	MS_STATIC EVP_MD_CTX tmp_ctx;
+	EVP_MD_CTX tmp_ctx;
 
 	*siglen=0;
 	EVP_MD_CTX_init(&tmp_ctx);
diff --git a/src/lib/libssl/src/crypto/evp/p_verify.c b/src/lib/libssl/src/crypto/evp/p_verify.c
index 8db46412f3..41d4b67130 100644
--- a/src/lib/libssl/src/crypto/evp/p_verify.c
+++ b/src/lib/libssl/src/crypto/evp/p_verify.c
@@ -68,7 +68,7 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
 	unsigned char m[EVP_MAX_MD_SIZE];
 	unsigned int m_len;
 	int i,ok=0,v;
-	MS_STATIC EVP_MD_CTX tmp_ctx;
+	EVP_MD_CTX tmp_ctx;
 
 	EVP_MD_CTX_init(&tmp_ctx);
 	EVP_MD_CTX_copy_ex(&tmp_ctx,ctx);     
diff --git a/src/lib/libssl/src/crypto/hmac/hmac.c b/src/lib/libssl/src/crypto/hmac/hmac.c
index 45015fe754..6c98fc43a3 100644
--- a/src/lib/libssl/src/crypto/hmac/hmac.c
+++ b/src/lib/libssl/src/crypto/hmac/hmac.c
@@ -138,12 +138,9 @@ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
 
 int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
 	{
-	int j;
 	unsigned int i;
 	unsigned char buf[EVP_MAX_MD_SIZE];
 
-	j=EVP_MD_block_size(ctx->md);
-
 	if (!EVP_DigestFinal_ex(&ctx->md_ctx,buf,&i))
 		goto err;
 	if (!EVP_MD_CTX_copy_ex(&ctx->md_ctx,&ctx->o_ctx))
diff --git a/src/lib/libssl/src/crypto/install-crypto.com b/src/lib/libssl/src/crypto/install-crypto.com
new file mode 100755
index 0000000000..85b3d583cf
--- /dev/null
+++ b/src/lib/libssl/src/crypto/install-crypto.com
@@ -0,0 +1,196 @@
+$! INSTALL.COM -- Installs the files in a given directory tree
+$!
+$! Author: Richard Levitte <richard@levitte.org>
+$! Time of creation: 22-MAY-1998 10:13
+$!
+$! Changes by Zoltan Arpadffy <zoli@polarhome.com>
+$!
+$! P1  root of the directory tree
+$! P2  "64" for 64-bit pointers.
+$!
+$!
+$! Announce/identify.
+$!
+$ proc = f$environment( "procedure")
+$ write sys$output "@@@ "+ -
+   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
+$!
+$ on error then goto tidy
+$ on control_c then goto tidy
+$!
+$ if (p1 .eqs. "")
+$ then
+$   write sys$output "First argument missing."
+$   write sys$output -
+     "It should be the directory where you want things installed."
+$     exit
+$ endif
+$!
+$ if (f$getsyi( "cpu") .lt. 128)
+$ then
+$   arch = "VAX"
+$ else
+$   arch = f$edit( f$getsyi( "arch_name"), "upcase")
+$   if (arch .eqs. "") then arch = "UNK"
+$ endif
+$!
+$ archd = arch
+$ lib32 = "32"
+$ shr = "_SHR32"
+$!
+$ if (p2 .nes. "")
+$ then
+$   if (p2 .eqs. "64")
+$   then
+$     archd = arch+ "_64"
+$     lib32 = ""
+$     shr = "_SHR"
+$   else
+$     if (p2 .nes. "32")
+$     then
+$       write sys$output "Second argument invalid."
+$       write sys$output "It should be "32", "64", or nothing."
+$       exit
+$     endif
+$   endif
+$ endif
+$!
+$ root = f$parse( p1, "[]A.;0", , , "syntax_only, no_conceal") - "A.;0"
+$ root_dev = f$parse( root, , , "device", "syntax_only")
+$ root_dir = f$parse( root, , , "directory", "syntax_only") - -
+   "[000000." - "][" - "[" - "]"
+$ root = root_dev + "[" + root_dir
+$!
+$ define /nolog wrk_sslroot 'root'.] /trans=conc
+$ define /nolog wrk_sslinclude wrk_sslroot:[include]
+$ define /nolog wrk_sslxlib wrk_sslroot:['arch'_lib]
+$!
+$ if f$parse("wrk_sslroot:[000000]") .eqs. "" then -
+   create /directory /log wrk_sslroot:[000000]
+$ if f$parse("wrk_sslinclude:") .eqs. "" then -
+   create /directory /log wrk_sslinclude:
+$ if f$parse("wrk_sslxlib:") .eqs. "" then -
+   create /directory /log wrk_sslxlib:
+$!
+$ sdirs := , -
+   'archd', -
+   objects, -
+   md2, md4, md5, sha, mdc2, hmac, ripemd, whrlpool, -
+   des, aes, rc2, rc4, rc5, idea, bf, cast, camellia, seed, -
+   bn, ec, rsa, dsa, ecdsa, dh, ecdh, dso, engine, -
+   buffer, bio, stack, lhash, rand, err, -
+   evp, asn1, pem, x509, x509v3, conf, txt_db, pkcs7, pkcs12, comp, ocsp, -
+   ui, krb5, -
+   store, cms, pqueue, ts, jpake
+$!
+$ exheader_ := crypto.h, opensslv.h, ebcdic.h, symhacks.h, ossl_typ.h
+$ exheader_'archd' := opensslconf.h
+$ exheader_objects := objects.h, obj_mac.h
+$ exheader_md2 := md2.h
+$ exheader_md4 := md4.h
+$ exheader_md5 := md5.h
+$ exheader_sha := sha.h
+$ exheader_mdc2 := mdc2.h
+$ exheader_hmac := hmac.h
+$ exheader_ripemd := ripemd.h
+$ exheader_whrlpool := whrlpool.h
+$ exheader_des := des.h, des_old.h
+$ exheader_aes := aes.h
+$ exheader_rc2 := rc2.h
+$ exheader_rc4 := rc4.h
+$ exheader_rc5 := rc5.h
+$ exheader_idea := idea.h
+$ exheader_bf := blowfish.h
+$ exheader_cast := cast.h
+$ exheader_camellia := camellia.h
+$ exheader_seed := seed.h
+$ exheader_modes := modes.h
+$ exheader_bn := bn.h
+$ exheader_ec := ec.h
+$ exheader_rsa := rsa.h
+$ exheader_dsa := dsa.h
+$ exheader_ecdsa := ecdsa.h
+$ exheader_dh := dh.h
+$ exheader_ecdh := ecdh.h
+$ exheader_dso := dso.h
+$ exheader_engine := engine.h
+$ exheader_buffer := buffer.h
+$ exheader_bio := bio.h
+$ exheader_stack := stack.h, safestack.h
+$ exheader_lhash := lhash.h
+$ exheader_rand := rand.h
+$ exheader_err := err.h
+$ exheader_evp := evp.h
+$ exheader_asn1 := asn1.h, asn1_mac.h, asn1t.h
+$ exheader_pem := pem.h, pem2.h
+$ exheader_x509 := x509.h, x509_vfy.h
+$ exheader_x509v3 := x509v3.h
+$ exheader_conf := conf.h, conf_api.h
+$ exheader_txt_db := txt_db.h
+$ exheader_pkcs7 := pkcs7.h
+$ exheader_pkcs12 := pkcs12.h
+$ exheader_comp := comp.h
+$ exheader_ocsp := ocsp.h
+$ exheader_ui := ui.h, ui_compat.h
+$ exheader_krb5 := krb5_asn.h
+$! exheader_store := store.h, str_compat.h
+$ exheader_store := store.h
+$ exheader_cms := cms.h
+$ exheader_pqueue := pqueue.h
+$ exheader_ts := ts.h
+$ exheader_jpake := jpake.h
+$ libs := ssl_libcrypto
+$!
+$ exe_dir := [-.'archd'.exe.crypto]
+$!
+$! Header files.
+$!
+$ i = 0
+$ loop_sdirs: 
+$   d = f$edit( f$element( i, ",", sdirs), "trim")
+$   i = i + 1
+$   if d .eqs. "," then goto loop_sdirs_end
+$   tmp = exheader_'d'
+$   if (d .nes. "") then d = "."+ d
+$   copy /protection = w:re ['d']'tmp' wrk_sslinclude: /log
+$ goto loop_sdirs
+$ loop_sdirs_end:
+$!
+$! Object libraries, shareable images.
+$!
+$ i = 0
+$ loop_lib: 
+$   e = f$edit( f$element( i, ",", libs), "trim")
+$   i = i + 1
+$   if e .eqs. "," then goto loop_lib_end
+$   set noon
+$   file = exe_dir+ e+ lib32+ ".olb"
+$   if f$search( file) .nes. ""
+$   then
+$     copy /protection = w:re 'file' wrk_sslxlib: /log
+$   endif
+$!
+$   file = exe_dir+ e+ shr+ ".exe"
+$   if f$search( file) .nes. ""
+$   then
+$     copy /protection = w:re 'file' wrk_sslxlib: /log
+$   endif
+$   set on
+$ goto loop_lib
+$ loop_lib_end:
+$!
+$ tidy:
+$!
+$ call deass wrk_sslroot
+$ call deass wrk_sslinclude
+$ call deass wrk_sslxlib
+$!
+$ exit
+$!
+$ deass: subroutine
+$ if (f$trnlnm( p1, "LNM$PROCESS") .nes. "")
+$ then
+$   deassign /process 'p1'
+$ endif
+$ endsubroutine
+$!
diff --git a/src/lib/libssl/src/crypto/md32_common.h b/src/lib/libssl/src/crypto/md32_common.h
index 1cb783944e..bb7381952a 100644
--- a/src/lib/libssl/src/crypto/md32_common.h
+++ b/src/lib/libssl/src/crypto/md32_common.h
@@ -165,7 +165,7 @@
 				asm (			\
 				"roll %1,%0"		\
 				: "=r"(ret)		\
-				: "I"(n), "0"(a)	\
+				: "I"(n), "0"((unsigned int)(a))	\
 				: "cc");		\
 			   ret;				\
 			})
@@ -383,6 +383,7 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c)
 	}
 
 #ifndef MD32_REG_T
+#if defined(__alpha) || defined(__sparcv9) || defined(__mips)
 #define MD32_REG_T long
 /*
  * This comment was originaly written for MD5, which is why it
@@ -400,9 +401,15 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c)
  * Well, to be honest it should say that this *prevents* 
  * performance degradation.
  *				<appro@fy.chalmers.se>
- * Apparently there're LP64 compilers that generate better
- * code if A-D are declared int. Most notably GCC-x86_64
- * generates better code.
+ */
+#else
+/*
+ * Above is not absolute and there are LP64 compilers that
+ * generate better code if MD32_REG_T is defined int. The above
+ * pre-processor condition reflects the circumstances under which
+ * the conclusion was made and is subject to further extension.
  *				<appro@fy.chalmers.se>
  */
+#define MD32_REG_T int
+#endif
 #endif
diff --git a/src/lib/libssl/src/crypto/o_time.c b/src/lib/libssl/src/crypto/o_time.c
index eecbdd19f0..9030fdef7a 100644
--- a/src/lib/libssl/src/crypto/o_time.c
+++ b/src/lib/libssl/src/crypto/o_time.c
@@ -64,12 +64,18 @@
 #include "o_time.h"
 
 #ifdef OPENSSL_SYS_VMS
-# include <libdtdef.h>
-# include <lib$routines.h>
-# include <lnmdef.h>
-# include <starlet.h>
-# include <descrip.h>
-# include <stdlib.h>
+# if __CRTL_VER >= 70000000 && \
+     (defined _POSIX_C_SOURCE || !defined _ANSI_C_SOURCE)
+#  define VMS_GMTIME_OK
+# endif
+# ifndef VMS_GMTIME_OK
+#  include <libdtdef.h>
+#  include <lib$routines.h>
+#  include <lnmdef.h>
+#  include <starlet.h>
+#  include <descrip.h>
+#  include <stdlib.h>
+# endif /* ndef VMS_GMTIME_OK */
 #endif
 
 struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
@@ -81,7 +87,7 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
 	   so we don't even look at the return value */
 	gmtime_r(timer,result);
 	ts = result;
-#elif !defined(OPENSSL_SYS_VMS)
+#elif !defined(OPENSSL_SYS_VMS) || defined(VMS_GMTIME_OK)
 	ts = gmtime(timer);
 	if (ts == NULL)
 		return NULL;
@@ -89,7 +95,7 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
 	memcpy(result, ts, sizeof(struct tm));
 	ts = result;
 #endif
-#ifdef OPENSSL_SYS_VMS
+#if defined( OPENSSL_SYS_VMS) && !defined( VMS_GMTIME_OK)
 	if (ts == NULL)
 		{
 		static $DESCRIPTOR(tabnam,"LNM$DCL_LOGICAL");
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_ht.c b/src/lib/libssl/src/crypto/ocsp/ocsp_ht.c
index 12bbfcffd1..af5fc16691 100644
--- a/src/lib/libssl/src/crypto/ocsp/ocsp_ht.c
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_ht.c
@@ -397,11 +397,12 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
 
 
 		case OHS_ASN1_HEADER:
-		/* Now reading ASN1 header: can read at least 6 bytes which
-		 * is more than enough for any valid ASN1 SEQUENCE header
+		/* Now reading ASN1 header: can read at least 2 bytes which
+		 * is enough for ASN1 SEQUENCE header and either length field
+		 * or at least the length of the length field.
 		 */
 		n = BIO_get_mem_data(rctx->mem, &p);
-		if (n < 6)
+		if (n < 2)
 			goto next_io;
 
 		/* Check it is an ASN1 SEQUENCE */
@@ -414,6 +415,11 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
 		/* Check out length field */
 		if (*p & 0x80)
 			{
+			/* If MSB set on initial length octet we can now
+			 * always read 6 octets: make sure we have them.
+			 */
+			if (n < 6)
+				goto next_io;
 			n = *p & 0x7F;
 			/* Not NDEF or excessive length */
 			if (!n || (n > 4))
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_lib.c b/src/lib/libssl/src/crypto/ocsp/ocsp_lib.c
index 36905d76cd..e92b86c060 100644
--- a/src/lib/libssl/src/crypto/ocsp/ocsp_lib.c
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_lib.c
@@ -170,14 +170,14 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss
 
 	char *host, *port;
 
-	/* dup the buffer since we are going to mess with it */
-	buf = BUF_strdup(url);
-	if (!buf) goto mem_err;
-
 	*phost = NULL;
 	*pport = NULL;
 	*ppath = NULL;
 
+	/* dup the buffer since we are going to mess with it */
+	buf = BUF_strdup(url);
+	if (!buf) goto mem_err;
+
 	/* Check for initial colon */
 	p = strchr(buf, ':');
 
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_prn.c b/src/lib/libssl/src/crypto/ocsp/ocsp_prn.c
index 1695c9c4ad..87608ff399 100644
--- a/src/lib/libssl/src/crypto/ocsp/ocsp_prn.c
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_prn.c
@@ -182,7 +182,6 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
         {
 	int i, ret = 0;
 	long l;
-	unsigned char *p;
 	OCSP_CERTID *cid = NULL;
 	OCSP_BASICRESP *br = NULL;
 	OCSP_RESPID *rid = NULL;
@@ -207,7 +206,6 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
 		return 1;
 		}
 
-	p = ASN1_STRING_data(rb->response);
 	i = ASN1_STRING_length(rb->response);
 	if (!(br = OCSP_response_get1_basic(o))) goto err;
 	rd = br->tbsResponseData;
diff --git a/src/lib/libssl/src/crypto/opensslv.h b/src/lib/libssl/src/crypto/opensslv.h
index 2fb110fa0e..310a3387be 100644
--- a/src/lib/libssl/src/crypto/opensslv.h
+++ b/src/lib/libssl/src/crypto/opensslv.h
@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x1000001fL
+#define OPENSSL_VERSION_NUMBER	0x1000005fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.0a-fips 1 Jun 2010"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.0e-fips 6 Sep 2011"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.0a 1 Jun 2010"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.0e 6 Sep 2011"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 
diff --git a/src/lib/libssl/src/crypto/pem/pem_lib.c b/src/lib/libssl/src/crypto/pem/pem_lib.c
index 42e4861bc1..cfc89a9921 100644
--- a/src/lib/libssl/src/crypto/pem/pem_lib.c
+++ b/src/lib/libssl/src/crypto/pem/pem_lib.c
@@ -482,7 +482,6 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
 
 int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
 	{
-	int o;
 	const EVP_CIPHER *enc=NULL;
 	char *p,c;
 	char **header_pp = &header;
@@ -522,7 +521,6 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
 		header++;
 		}
 	*header='\0';
-	o=OBJ_sn2nid(p);
 	cipher->cipher=enc=EVP_get_cipherbyname(p);
 	*header=c;
 	header++;
diff --git a/src/lib/libssl/src/crypto/perlasm/cbc.pl b/src/lib/libssl/src/crypto/perlasm/cbc.pl
index e43dc9ae15..6fc2510905 100644
--- a/src/lib/libssl/src/crypto/perlasm/cbc.pl
+++ b/src/lib/libssl/src/crypto/perlasm/cbc.pl
@@ -158,7 +158,6 @@ sub cbc
 	&jmp_ptr($count);
 
 &set_label("ej7");
-	&xor("edx",		"edx") if $ppro; # ppro friendly
 	&movb(&HB("edx"),	&BP(6,$in,"",0));
 	&shl("edx",8);
 &set_label("ej6");
@@ -170,7 +169,6 @@ sub cbc
 	&jmp(&label("ejend"));
 &set_label("ej3");
 	&movb(&HB("ecx"),	&BP(2,$in,"",0));
-	&xor("ecx",		"ecx") if $ppro; # ppro friendly
 	&shl("ecx",8);
 &set_label("ej2");
 	&movb(&HB("ecx"),	&BP(1,$in,"",0));
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_key.c b/src/lib/libssl/src/crypto/pkcs12/p12_key.c
index a29794bbbc..424203f648 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_key.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_key.c
@@ -107,6 +107,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
 	unsigned char *B, *D, *I, *p, *Ai;
 	int Slen, Plen, Ilen, Ijlen;
 	int i, j, u, v;
+	int ret = 0;
 	BIGNUM *Ij, *Bpl1;	/* These hold Ij and B + 1 */
 	EVP_MD_CTX ctx;
 #ifdef  DEBUG_KEYGEN
@@ -144,10 +145,8 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
 	I = OPENSSL_malloc (Ilen);
 	Ij = BN_new();
 	Bpl1 = BN_new();
-	if (!D || !Ai || !B || !I || !Ij || !Bpl1) {
-		PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI,ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
+	if (!D || !Ai || !B || !I || !Ij || !Bpl1)
+		goto err;
 	for (i = 0; i < v; i++) D[i] = id;
 	p = I;
 	for (i = 0; i < Slen; i++) *p++ = salt[i % saltlen];
@@ -164,28 +163,22 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
 		}
 		memcpy (out, Ai, min (n, u));
 		if (u >= n) {
-			OPENSSL_free (Ai);
-			OPENSSL_free (B);
-			OPENSSL_free (D);
-			OPENSSL_free (I);
-			BN_free (Ij);
-			BN_free (Bpl1);
-			EVP_MD_CTX_cleanup(&ctx);
 #ifdef DEBUG_KEYGEN
 			fprintf(stderr, "Output KEY (length %d)\n", tmpn);
 			h__dump(tmpout, tmpn);
 #endif
-			return 1;	
+			ret = 1;
+			goto end;
 		}
 		n -= u;
 		out += u;
 		for (j = 0; j < v; j++) B[j] = Ai[j % u];
 		/* Work out B + 1 first then can use B as tmp space */
-		BN_bin2bn (B, v, Bpl1);
-		BN_add_word (Bpl1, 1);
+		if (!BN_bin2bn (B, v, Bpl1)) goto err;
+		if (!BN_add_word (Bpl1, 1)) goto err;
 		for (j = 0; j < Ilen ; j+=v) {
-			BN_bin2bn (I + j, v, Ij);
-			BN_add (Ij, Ij, Bpl1);
+			if (!BN_bin2bn (I + j, v, Ij)) goto err;
+			if (!BN_add (Ij, Ij, Bpl1)) goto err;
 			BN_bn2bin (Ij, B);
 			Ijlen = BN_num_bytes (Ij);
 			/* If more than 2^(v*8) - 1 cut off MSB */
@@ -201,6 +194,19 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
 			} else BN_bn2bin (Ij, I + j);
 		}
 	}
+
+err:
+	PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI,ERR_R_MALLOC_FAILURE);
+
+end:
+	OPENSSL_free (Ai);
+	OPENSSL_free (B);
+	OPENSSL_free (D);
+	OPENSSL_free (I);
+	BN_free (Ij);
+	BN_free (Bpl1);
+	EVP_MD_CTX_cleanup(&ctx);
+	return ret;
 }
 #ifdef DEBUG_KEYGEN
 void h__dump (unsigned char *p, int len)
diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c b/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
index 451de84489..3bf1a367bb 100644
--- a/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
+++ b/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
@@ -422,7 +422,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 	X509_ALGOR *enc_alg=NULL;
 	STACK_OF(X509_ALGOR) *md_sk=NULL;
 	STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
-	X509_ALGOR *xalg=NULL;
 	PKCS7_RECIP_INFO *ri=NULL;
 
 	i=OBJ_obj2nid(p7->type);
@@ -445,7 +444,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 			PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
 			goto err;
 			}
-		xalg=p7->d.signed_and_enveloped->enc_data->algorithm;
 		break;
 	case NID_pkcs7_enveloped:
 		rsk=p7->d.enveloped->recipientinfo;
@@ -457,7 +455,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 			PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
 			goto err;
 			}
-		xalg=p7->d.enveloped->enc_data->algorithm;
 		break;
 	default:
 		PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_lib.c b/src/lib/libssl/src/crypto/pkcs7/pk7_lib.c
index 3ca0952792..d411269b50 100644
--- a/src/lib/libssl/src/crypto/pkcs7/pk7_lib.c
+++ b/src/lib/libssl/src/crypto/pkcs7/pk7_lib.c
@@ -591,7 +591,6 @@ X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
 int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher)
 	{
 	int i;
-	ASN1_OBJECT *objtmp;
 	PKCS7_ENC_CONTENT *ec;
 
 	i=OBJ_obj2nid(p7->type);
@@ -614,7 +613,6 @@ int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher)
 		PKCS7err(PKCS7_F_PKCS7_SET_CIPHER,PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
 		return(0);
 	}
-	objtmp = OBJ_nid2obj(i);
 
 	ec->cipher = cipher;
 	return 1;
diff --git a/src/lib/libssl/src/crypto/rand/md_rand.c b/src/lib/libssl/src/crypto/rand/md_rand.c
index 88088ce73c..b2f04ff13e 100644
--- a/src/lib/libssl/src/crypto/rand/md_rand.c
+++ b/src/lib/libssl/src/crypto/rand/md_rand.c
@@ -476,11 +476,14 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 		MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
 
 #ifndef PURIFY /* purify complains */
-		/* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */
+		/* The following line uses the supplied buffer as a small
+		 * source of entropy: since this buffer is often uninitialised
+		 * it may cause programs such as purify or valgrind to
+		 * complain. So for those builds it is not used: the removal
+		 * of such a small source of entropy has negligible impact on
+		 * security.
+		 */
 		MD_Update(&m,buf,j);
-		/* We know that line may cause programs such as
-		   purify and valgrind to complain about use of
-		   uninitialized data.  */
 #endif
 
 		k=(st_idx+MD_DIGEST_LENGTH/2)-st_num;
diff --git a/src/lib/libssl/src/crypto/rand/rand_vms.c b/src/lib/libssl/src/crypto/rand/rand_vms.c
index 1267a3acae..0bfd8ff7e4 100644
--- a/src/lib/libssl/src/crypto/rand/rand_vms.c
+++ b/src/lib/libssl/src/crypto/rand/rand_vms.c
@@ -69,6 +69,17 @@
 # pragma message disable DOLLARID
 #endif
 
+/* Use 32-bit pointers almost everywhere.  Define the type to which to
+ * cast a pointer passed to an external function.
+ */
+#if __INITIAL_POINTER_SIZE == 64
+# define PTR_T __void_ptr64
+# pragma pointer_size save
+# pragma pointer_size 32
+#else /* __INITIAL_POINTER_SIZE == 64 */
+# define PTR_T void *
+#endif /* __INITIAL_POINTER_SIZE == 64 [else] */
+
 static struct items_data_st
 	{
 	short length, code;	/* length is amount of bytes */
@@ -125,11 +136,12 @@ int RAND_poll(void)
 		{
 		if (status == SS$_NORMAL)
 			{
-			RAND_add(data_buffer, total_length, total_length/2);
+			RAND_add( (PTR_T)data_buffer, total_length,
+			 total_length/2);
 			}
 		}
 	sys$gettim(iosb);
-	RAND_add((unsigned char *)iosb, sizeof(iosb), sizeof(iosb)/2);
+	RAND_add( (PTR_T)iosb, sizeof(iosb), sizeof(iosb)/2);
 	return 1;
 }
 
diff --git a/src/lib/libssl/src/crypto/rand/randfile.c b/src/lib/libssl/src/crypto/rand/randfile.c
index 4ed40b7b70..bc7d9c5804 100644
--- a/src/lib/libssl/src/crypto/rand/randfile.c
+++ b/src/lib/libssl/src/crypto/rand/randfile.c
@@ -144,7 +144,9 @@ int RAND_load_file(const char *file, long bytes)
 	   * I/O because we will waste system entropy. 
 	   */
 	  bytes = (bytes == -1) ? 2048 : bytes; /* ok, is 2048 enough? */
+#ifndef OPENSSL_NO_SETVBUF_IONBF
 	  setvbuf(in, NULL, _IONBF, 0); /* don't do buffered reads */
+#endif /* ndef OPENSSL_NO_SETVBUF_IONBF */
 	}
 #endif
 	for (;;)
@@ -269,7 +271,6 @@ err:
 const char *RAND_file_name(char *buf, size_t size)
 	{
 	char *s=NULL;
-	int ok = 0;
 #ifdef __OpenBSD__
 	struct stat sb;
 #endif
@@ -298,7 +299,6 @@ const char *RAND_file_name(char *buf, size_t size)
 			BUF_strlcat(buf,"/",size);
 #endif
 			BUF_strlcat(buf,RFILE,size);
-			ok = 1;
 			}
 		else
 		  	buf[0] = '\0'; /* no file name */
@@ -312,7 +312,7 @@ const char *RAND_file_name(char *buf, size_t size)
 	 * to something hopefully decent if that isn't available. 
 	 */
 
-	if (!ok)
+	if (!buf[0])
 		if (BUF_strlcpy(buf,"/dev/arandom",size) >= size) {
 			return(NULL);
 		}	
diff --git a/src/lib/libssl/src/crypto/rc5/rc5_locl.h b/src/lib/libssl/src/crypto/rc5/rc5_locl.h
index 282dd38822..d337f73fad 100644
--- a/src/lib/libssl/src/crypto/rc5/rc5_locl.h
+++ b/src/lib/libssl/src/crypto/rc5/rc5_locl.h
@@ -154,14 +154,14 @@
 #  define ROTATE_l32(a,n)	({ register unsigned int ret;	\
 					asm ("roll %%cl,%0"	\
 						: "=r"(ret)	\
-						: "c"(n),"0"(a)	\
+						: "c"(n),"0"((unsigned int)(a))	\
 						: "cc");	\
 					ret;			\
 				})
 #  define ROTATE_r32(a,n)	({ register unsigned int ret;	\
 					asm ("rorl %%cl,%0"	\
 						: "=r"(ret)	\
-						: "c"(n),"0"(a)	\
+						: "c"(n),"0"((unsigned int)(a))	\
 						: "cc");	\
 					ret;			\
 				})
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_eay.c b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
index c5eaeeae6b..7c941885f0 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_eay.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
@@ -675,7 +675,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
 		rsa->_method_mod_n)) goto err;
 
 	if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12))
-		BN_sub(ret, rsa->n, ret);
+		if (!BN_sub(ret, rsa->n, ret)) goto err;
 
 	p=buf;
 	i=BN_bn2bin(ret,p);
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_oaep.c b/src/lib/libssl/src/crypto/rsa/rsa_oaep.c
index e238d10e5c..18d307ea9e 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_oaep.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_oaep.c
@@ -189,34 +189,40 @@ int PKCS1_MGF1(unsigned char *mask, long len,
 	EVP_MD_CTX c;
 	unsigned char md[EVP_MAX_MD_SIZE];
 	int mdlen;
+	int rv = -1;
 
 	EVP_MD_CTX_init(&c);
 	mdlen = EVP_MD_size(dgst);
 	if (mdlen < 0)
-		return -1;
+		goto err;
 	for (i = 0; outlen < len; i++)
 		{
 		cnt[0] = (unsigned char)((i >> 24) & 255);
 		cnt[1] = (unsigned char)((i >> 16) & 255);
 		cnt[2] = (unsigned char)((i >> 8)) & 255;
 		cnt[3] = (unsigned char)(i & 255);
-		EVP_DigestInit_ex(&c,dgst, NULL);
-		EVP_DigestUpdate(&c, seed, seedlen);
-		EVP_DigestUpdate(&c, cnt, 4);
+		if (!EVP_DigestInit_ex(&c,dgst, NULL)
+			|| !EVP_DigestUpdate(&c, seed, seedlen)
+			|| !EVP_DigestUpdate(&c, cnt, 4))
+			goto err;
 		if (outlen + mdlen <= len)
 			{
-			EVP_DigestFinal_ex(&c, mask + outlen, NULL);
+			if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL))
+				goto err;
 			outlen += mdlen;
 			}
 		else
 			{
-			EVP_DigestFinal_ex(&c, md, NULL);
+			if (!EVP_DigestFinal_ex(&c, md, NULL))
+				goto err;
 			memcpy(mask + outlen, md, len - outlen);
 			outlen = len;
 			}
 		}
+	rv = 0;
+	err:
 	EVP_MD_CTX_cleanup(&c);
-	return 0;
+	return rv;
 	}
 
 static int MGF1(unsigned char *mask, long len, const unsigned char *seed,
diff --git a/src/lib/libssl/src/crypto/stack/safestack.h b/src/lib/libssl/src/crypto/stack/safestack.h
index 891cb84a51..3e76aa58f5 100644
--- a/src/lib/libssl/src/crypto/stack/safestack.h
+++ b/src/lib/libssl/src/crypto/stack/safestack.h
@@ -179,7 +179,8 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void)
 	sk_is_sorted(CHECKED_STACK_OF(type, st))
 
 #define	SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
-  (STACK_OF(type) *)d2i_ASN1_SET((STACK_OF(OPENSSL_BLOCK) **)CHECKED_STACK_OF(type, st), \
+  (STACK_OF(type) *)d2i_ASN1_SET( \
+				(STACK_OF(OPENSSL_BLOCK) **)CHECKED_PTR_OF(STACK_OF(type)*, st), \
 				pp, length, \
 				CHECKED_D2I_OF(type, d2i_func), \
 				CHECKED_SK_FREE_FUNC(type, free_func), \
@@ -2030,79 +2031,79 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void)
 #define sk_void_sort(st) SKM_sk_sort(void, (st))
 #define sk_void_is_sorted(st) SKM_sk_is_sorted(void, (st))
 
-#define sk_OPENSSL_BLOCK_new(cmp) ((STACK_OF(OPENSSL_BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp)))
-#define sk_OPENSSL_BLOCK_new_null() ((STACK_OF(OPENSSL_BLOCK) *)sk_new_null())
-#define sk_OPENSSL_BLOCK_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
-#define sk_OPENSSL_BLOCK_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
-#define sk_OPENSSL_BLOCK_value(st, i) ((OPENSSL_BLOCK)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), i))
-#define sk_OPENSSL_BLOCK_num(st) SKM_sk_num(OPENSSL_BLOCK, st)
-#define sk_OPENSSL_BLOCK_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_SK_FREE_FUNC2(OPENSSL_BLOCK, free_func))
-#define sk_OPENSSL_BLOCK_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val), i)
-#define sk_OPENSSL_BLOCK_free(st) SKM_sk_free(OPENSSL_BLOCK, st)
-#define sk_OPENSSL_BLOCK_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), i, CHECKED_PTR_OF(void, val))
-#define sk_OPENSSL_BLOCK_zero(st) SKM_sk_zero(OPENSSL_BLOCK, (st))
-#define sk_OPENSSL_BLOCK_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
-#define sk_OPENSSL_BLOCK_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_CONST_PTR_OF(void, val))
-#define sk_OPENSSL_BLOCK_delete(st, i) SKM_sk_delete(OPENSSL_BLOCK, (st), (i))
-#define sk_OPENSSL_BLOCK_delete_ptr(st, ptr) (OPENSSL_BLOCK *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, ptr))
-#define sk_OPENSSL_BLOCK_set_cmp_func(st, cmp)  \
-	((int (*)(const void * const *,const void * const *)) \
-	sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_SK_CMP_FUNC(void, cmp)))
-#define sk_OPENSSL_BLOCK_dup(st) SKM_sk_dup(OPENSSL_BLOCK, st)
-#define sk_OPENSSL_BLOCK_shift(st) SKM_sk_shift(OPENSSL_BLOCK, (st))
-#define sk_OPENSSL_BLOCK_pop(st) (void *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st))
-#define sk_OPENSSL_BLOCK_sort(st) SKM_sk_sort(OPENSSL_BLOCK, (st))
-#define sk_OPENSSL_BLOCK_is_sorted(st) SKM_sk_is_sorted(OPENSSL_BLOCK, (st))
+#define sk_OPENSSL_STRING_new(cmp) ((STACK_OF(OPENSSL_STRING) *)sk_new(CHECKED_SK_CMP_FUNC(char, cmp)))
+#define sk_OPENSSL_STRING_new_null() ((STACK_OF(OPENSSL_STRING) *)sk_new_null())
+#define sk_OPENSSL_STRING_push(st, val) sk_push(CHECKED_STACK_OF(OPENSSL_STRING, st), CHECKED_PTR_OF(char, val))
+#define sk_OPENSSL_STRING_find(st, val) sk_find(CHECKED_STACK_OF(OPENSSL_STRING, st), CHECKED_PTR_OF(char, val))
+#define sk_OPENSSL_STRING_value(st, i) ((OPENSSL_STRING)sk_value(CHECKED_STACK_OF(OPENSSL_STRING, st), i))
+#define sk_OPENSSL_STRING_num(st) SKM_sk_num(OPENSSL_STRING, st)
+#define sk_OPENSSL_STRING_pop_free(st, free_func) sk_pop_free(CHECKED_STACK_OF(OPENSSL_STRING, st), CHECKED_SK_FREE_FUNC2(OPENSSL_STRING, free_func))
+#define sk_OPENSSL_STRING_insert(st, val, i) sk_insert(CHECKED_STACK_OF(OPENSSL_STRING, st), CHECKED_PTR_OF(char, val), i)
+#define sk_OPENSSL_STRING_free(st) SKM_sk_free(OPENSSL_STRING, st)
+#define sk_OPENSSL_STRING_set(st, i, val) sk_set(CHECKED_STACK_OF(OPENSSL_STRING, st), i, CHECKED_PTR_OF(char, val))
+#define sk_OPENSSL_STRING_zero(st) SKM_sk_zero(OPENSSL_STRING, (st))
+#define sk_OPENSSL_STRING_unshift(st, val) sk_unshift(CHECKED_STACK_OF(OPENSSL_STRING, st), CHECKED_PTR_OF(char, val))
+#define sk_OPENSSL_STRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_CONST_PTR_OF(char, val))
+#define sk_OPENSSL_STRING_delete(st, i) SKM_sk_delete(OPENSSL_STRING, (st), (i))
+#define sk_OPENSSL_STRING_delete_ptr(st, ptr) (OPENSSL_STRING *)sk_delete_ptr(CHECKED_STACK_OF(OPENSSL_STRING, st), CHECKED_PTR_OF(char, ptr))
+#define sk_OPENSSL_STRING_set_cmp_func(st, cmp)  \
+	((int (*)(const char * const *,const char * const *)) \
+	sk_set_cmp_func(CHECKED_STACK_OF(OPENSSL_STRING, st), CHECKED_SK_CMP_FUNC(char, cmp)))
+#define sk_OPENSSL_STRING_dup(st) SKM_sk_dup(OPENSSL_STRING, st)
+#define sk_OPENSSL_STRING_shift(st) SKM_sk_shift(OPENSSL_STRING, (st))
+#define sk_OPENSSL_STRING_pop(st) (char *)sk_pop(CHECKED_STACK_OF(OPENSSL_STRING, st))
+#define sk_OPENSSL_STRING_sort(st) SKM_sk_sort(OPENSSL_STRING, (st))
+#define sk_OPENSSL_STRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_STRING, (st))
 
 
 #define sk_OPENSSL_PSTRING_new(cmp) ((STACK_OF(OPENSSL_PSTRING) *)sk_new(CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp)))
 #define sk_OPENSSL_PSTRING_new_null() ((STACK_OF(OPENSSL_PSTRING) *)sk_new_null())
-#define sk_OPENSSL_PSTRING_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_PTR_OF(OPENSSL_STRING, val))
-#define sk_OPENSSL_PSTRING_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_PTR_OF(OPENSSL_STRING, val))
-#define sk_OPENSSL_PSTRING_value(st, i) ((OPENSSL_PSTRING)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), i))
+#define sk_OPENSSL_PSTRING_push(st, val) sk_push(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, val))
+#define sk_OPENSSL_PSTRING_find(st, val) sk_find(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, val))
+#define sk_OPENSSL_PSTRING_value(st, i) ((OPENSSL_PSTRING)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, st), i))
 #define sk_OPENSSL_PSTRING_num(st) SKM_sk_num(OPENSSL_PSTRING, st)
-#define sk_OPENSSL_PSTRING_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_SK_FREE_FUNC2(OPENSSL_PSTRING, free_func))
-#define sk_OPENSSL_PSTRING_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_PTR_OF(OPENSSL_STRING, val), i)
+#define sk_OPENSSL_PSTRING_pop_free(st, free_func) sk_pop_free(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_SK_FREE_FUNC2(OPENSSL_PSTRING, free_func))
+#define sk_OPENSSL_PSTRING_insert(st, val, i) sk_insert(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, val), i)
 #define sk_OPENSSL_PSTRING_free(st) SKM_sk_free(OPENSSL_PSTRING, st)
-#define sk_OPENSSL_PSTRING_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), i, CHECKED_PTR_OF(OPENSSL_STRING, val))
+#define sk_OPENSSL_PSTRING_set(st, i, val) sk_set(CHECKED_STACK_OF(OPENSSL_PSTRING, st), i, CHECKED_PTR_OF(OPENSSL_STRING, val))
 #define sk_OPENSSL_PSTRING_zero(st) SKM_sk_zero(OPENSSL_PSTRING, (st))
-#define sk_OPENSSL_PSTRING_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_PTR_OF(OPENSSL_STRING, val))
+#define sk_OPENSSL_PSTRING_unshift(st, val) sk_unshift(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, val))
 #define sk_OPENSSL_PSTRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_CONST_PTR_OF(OPENSSL_STRING, val))
 #define sk_OPENSSL_PSTRING_delete(st, i) SKM_sk_delete(OPENSSL_PSTRING, (st), (i))
-#define sk_OPENSSL_PSTRING_delete_ptr(st, ptr) (OPENSSL_PSTRING *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_PTR_OF(OPENSSL_STRING, ptr))
+#define sk_OPENSSL_PSTRING_delete_ptr(st, ptr) (OPENSSL_PSTRING *)sk_delete_ptr(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, ptr))
 #define sk_OPENSSL_PSTRING_set_cmp_func(st, cmp)  \
 	((int (*)(const OPENSSL_STRING * const *,const OPENSSL_STRING * const *)) \
-	sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp)))
+	sk_set_cmp_func(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp)))
 #define sk_OPENSSL_PSTRING_dup(st) SKM_sk_dup(OPENSSL_PSTRING, st)
 #define sk_OPENSSL_PSTRING_shift(st) SKM_sk_shift(OPENSSL_PSTRING, (st))
-#define sk_OPENSSL_PSTRING_pop(st) (OPENSSL_STRING *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st))
+#define sk_OPENSSL_PSTRING_pop(st) (OPENSSL_STRING *)sk_pop(CHECKED_STACK_OF(OPENSSL_PSTRING, st))
 #define sk_OPENSSL_PSTRING_sort(st) SKM_sk_sort(OPENSSL_PSTRING, (st))
 #define sk_OPENSSL_PSTRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_PSTRING, (st))
 
 
-#define sk_OPENSSL_STRING_new(cmp) ((STACK_OF(OPENSSL_STRING) *)sk_new(CHECKED_SK_CMP_FUNC(char, cmp)))
-#define sk_OPENSSL_STRING_new_null() ((STACK_OF(OPENSSL_STRING) *)sk_new_null())
-#define sk_OPENSSL_STRING_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val))
-#define sk_OPENSSL_STRING_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val))
-#define sk_OPENSSL_STRING_value(st, i) ((OPENSSL_STRING)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), i))
-#define sk_OPENSSL_STRING_num(st) SKM_sk_num(OPENSSL_STRING, st)
-#define sk_OPENSSL_STRING_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_SK_FREE_FUNC2(OPENSSL_STRING, free_func))
-#define sk_OPENSSL_STRING_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val), i)
-#define sk_OPENSSL_STRING_free(st) SKM_sk_free(OPENSSL_STRING, st)
-#define sk_OPENSSL_STRING_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), i, CHECKED_PTR_OF(char, val))
-#define sk_OPENSSL_STRING_zero(st) SKM_sk_zero(OPENSSL_STRING, (st))
-#define sk_OPENSSL_STRING_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val))
-#define sk_OPENSSL_STRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_CONST_PTR_OF(char, val))
-#define sk_OPENSSL_STRING_delete(st, i) SKM_sk_delete(OPENSSL_STRING, (st), (i))
-#define sk_OPENSSL_STRING_delete_ptr(st, ptr) (OPENSSL_STRING *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, ptr))
-#define sk_OPENSSL_STRING_set_cmp_func(st, cmp)  \
-	((int (*)(const char * const *,const char * const *)) \
-	sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_SK_CMP_FUNC(char, cmp)))
-#define sk_OPENSSL_STRING_dup(st) SKM_sk_dup(OPENSSL_STRING, st)
-#define sk_OPENSSL_STRING_shift(st) SKM_sk_shift(OPENSSL_STRING, (st))
-#define sk_OPENSSL_STRING_pop(st) (char *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st))
-#define sk_OPENSSL_STRING_sort(st) SKM_sk_sort(OPENSSL_STRING, (st))
-#define sk_OPENSSL_STRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_STRING, (st))
+#define sk_OPENSSL_BLOCK_new(cmp) ((STACK_OF(OPENSSL_BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp)))
+#define sk_OPENSSL_BLOCK_new_null() ((STACK_OF(OPENSSL_BLOCK) *)sk_new_null())
+#define sk_OPENSSL_BLOCK_push(st, val) sk_push(CHECKED_STACK_OF(OPENSSL_BLOCK, st), CHECKED_PTR_OF(void, val))
+#define sk_OPENSSL_BLOCK_find(st, val) sk_find(CHECKED_STACK_OF(OPENSSL_BLOCK, st), CHECKED_PTR_OF(void, val))
+#define sk_OPENSSL_BLOCK_value(st, i) ((OPENSSL_BLOCK)sk_value(CHECKED_STACK_OF(OPENSSL_BLOCK, st), i))
+#define sk_OPENSSL_BLOCK_num(st) SKM_sk_num(OPENSSL_BLOCK, st)
+#define sk_OPENSSL_BLOCK_pop_free(st, free_func) sk_pop_free(CHECKED_STACK_OF(OPENSSL_BLOCK, st), CHECKED_SK_FREE_FUNC2(OPENSSL_BLOCK, free_func))
+#define sk_OPENSSL_BLOCK_insert(st, val, i) sk_insert(CHECKED_STACK_OF(OPENSSL_BLOCK, st), CHECKED_PTR_OF(void, val), i)
+#define sk_OPENSSL_BLOCK_free(st) SKM_sk_free(OPENSSL_BLOCK, st)
+#define sk_OPENSSL_BLOCK_set(st, i, val) sk_set(CHECKED_STACK_OF(OPENSSL_BLOCK, st), i, CHECKED_PTR_OF(void, val))
+#define sk_OPENSSL_BLOCK_zero(st) SKM_sk_zero(OPENSSL_BLOCK, (st))
+#define sk_OPENSSL_BLOCK_unshift(st, val) sk_unshift(CHECKED_STACK_OF(OPENSSL_BLOCK, st), CHECKED_PTR_OF(void, val))
+#define sk_OPENSSL_BLOCK_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_CONST_PTR_OF(void, val))
+#define sk_OPENSSL_BLOCK_delete(st, i) SKM_sk_delete(OPENSSL_BLOCK, (st), (i))
+#define sk_OPENSSL_BLOCK_delete_ptr(st, ptr) (OPENSSL_BLOCK *)sk_delete_ptr(CHECKED_STACK_OF(OPENSSL_BLOCK, st), CHECKED_PTR_OF(void, ptr))
+#define sk_OPENSSL_BLOCK_set_cmp_func(st, cmp)  \
+	((int (*)(const void * const *,const void * const *)) \
+	sk_set_cmp_func(CHECKED_STACK_OF(OPENSSL_BLOCK, st), CHECKED_SK_CMP_FUNC(void, cmp)))
+#define sk_OPENSSL_BLOCK_dup(st) SKM_sk_dup(OPENSSL_BLOCK, st)
+#define sk_OPENSSL_BLOCK_shift(st) SKM_sk_shift(OPENSSL_BLOCK, (st))
+#define sk_OPENSSL_BLOCK_pop(st) (void *)sk_pop(CHECKED_STACK_OF(OPENSSL_BLOCK, st))
+#define sk_OPENSSL_BLOCK_sort(st) SKM_sk_sort(OPENSSL_BLOCK, (st))
+#define sk_OPENSSL_BLOCK_is_sorted(st) SKM_sk_is_sorted(OPENSSL_BLOCK, (st))
 
 
 #define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
diff --git a/src/lib/libssl/src/crypto/x509/x509.h b/src/lib/libssl/src/crypto/x509/x509.h
index 604f4fb27f..e6f8a40395 100644
--- a/src/lib/libssl/src/crypto/x509/x509.h
+++ b/src/lib/libssl/src/crypto/x509/x509.h
@@ -258,6 +258,7 @@ typedef struct x509_cinf_st
 	ASN1_BIT_STRING *issuerUID;		/* [ 1 ] optional in v2 */
 	ASN1_BIT_STRING *subjectUID;		/* [ 2 ] optional in v2 */
 	STACK_OF(X509_EXTENSION) *extensions;	/* [ 3 ] optional in v3 */
+	ASN1_ENCODING enc;
 	} X509_CINF;
 
 /* This stuff is certificate "auxiliary info"
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c
index 87ebf62525..5a0b0249b4 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -703,6 +703,7 @@ static int check_cert(X509_STORE_CTX *ctx)
 	x = sk_X509_value(ctx->chain, cnum);
 	ctx->current_cert = x;
 	ctx->current_issuer = NULL;
+	ctx->current_crl_score = 0;
 	ctx->current_reasons = 0;
 	while (ctx->current_reasons != CRLDP_ALL_REASONS)
 		{
@@ -2015,6 +2016,9 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
 	ctx->error_depth=0;
 	ctx->current_cert=NULL;
 	ctx->current_issuer=NULL;
+	ctx->current_crl=NULL;
+	ctx->current_crl_score=0;
+	ctx->current_reasons=0;
 	ctx->tree = NULL;
 	ctx->parent = NULL;
 
@@ -2034,7 +2038,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
 	if (store)
 		ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
 	else
-		ctx->param->flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
+		ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
 
 	if (store)
 		{
diff --git a/src/lib/libssl/src/crypto/x509/x_all.c b/src/lib/libssl/src/crypto/x509/x_all.c
index ebae30b701..8ec88c215a 100644
--- a/src/lib/libssl/src/crypto/x509/x_all.c
+++ b/src/lib/libssl/src/crypto/x509/x_all.c
@@ -90,6 +90,7 @@ int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
 
 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
 	{
+	x->cert_info->enc.modified = 1;
 	return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), x->cert_info->signature,
 		x->sig_alg, x->signature, x->cert_info,pkey,md));
 	}
diff --git a/src/lib/libssl/src/doc/apps/smime.pod b/src/lib/libssl/src/doc/apps/smime.pod
index 42c0733bcb..e4e89af847 100644
--- a/src/lib/libssl/src/doc/apps/smime.pod
+++ b/src/lib/libssl/src/doc/apps/smime.pod
@@ -343,7 +343,7 @@ Create a cleartext signed message:
  openssl smime -sign -in message.txt -text -out mail.msg \
 	-signer mycert.pem
 
-Create an opaque signed message
+Create an opaque signed message:
 
  openssl smime -sign -in message.txt -text -out mail.msg -nodetach \
 	-signer mycert.pem
@@ -397,11 +397,11 @@ it with:
  -----BEGIN PKCS7-----
  -----END PKCS7-----
 
-and using the command, 
+and using the command: 
 
  openssl smime -verify -inform PEM -in signature.pem -content content.txt
 
-alternatively you can base64 decode the signature and use
+Alternatively you can base64 decode the signature and use:
 
  openssl smime -verify -inform DER -in signature.der -content content.txt
 
@@ -427,7 +427,7 @@ Ideally a database should be maintained of a certificates for each email
 address.
 
 The code doesn't currently take note of the permitted symmetric encryption
-algorithms as supplied in the SMIMECapabilities signed attribute. this means the
+algorithms as supplied in the SMIMECapabilities signed attribute. This means the
 user has to manually include the correct encryption algorithm. It should store
 the list of permitted ciphers in a database and only use those.
 
diff --git a/src/lib/libssl/src/doc/crypto/EVP_PKEY_verifyrecover.pod b/src/lib/libssl/src/doc/crypto/EVP_PKEY_verifyrecover.pod
index e2a2a8c6f8..f3605eb826 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_PKEY_verifyrecover.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_PKEY_verifyrecover.pod
@@ -74,7 +74,7 @@ Recover digest originally signed using PKCS#1 and SHA256 digest:
 	/* Error */
 
  /* Determine buffer length */
- if (EVP_PKEY_verifyrecover(ctx, rout, &routlen, sig, siglen) <= 0)
+ if (EVP_PKEY_verifyrecover(ctx, NULL, &routlen, sig, siglen) <= 0)
 	/* Error */
 
  rout = OPENSSL_malloc(routlen);
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod
index 310db84b31..cc588f3a78 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod
@@ -78,18 +78,7 @@ this breaks this server so 16 bytes is the way to go.
 
 =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
 
-ssl3.netscape.com:443, first a connection is established with RC4-MD5.
-If it is then resumed, we end up using DES-CBC3-SHA.  It should be
-RC4-MD5 according to 7.6.1.3, 'cipher_suite'.
-
-Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug.
-It only really shows up when connecting via SSLv2/v3 then reconnecting
-via SSLv3. The cipher list changes....
-
-NEW INFORMATION.  Try connecting with a cipher list of just
-DES-CBC-SHA:RC4-MD5.  For some weird reason, each new connection uses
-RC4-MD5, but a re-connect tries to use DES-CBC-SHA.  So netscape, when
-doing a re-connect, always takes the first cipher in the cipher list.
+As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect.
 
 =item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
 
diff --git a/src/lib/libssl/src/doc/ssl/ssl.pod b/src/lib/libssl/src/doc/ssl/ssl.pod
index 2b6004ee32..6d3ee24e4e 100644
--- a/src/lib/libssl/src/doc/ssl/ssl.pod
+++ b/src/lib/libssl/src/doc/ssl/ssl.pod
@@ -158,7 +158,7 @@ Constructor for the SSLv3 SSL_METHOD structure for combined client and server.
 
 Constructor for the TLSv1 SSL_METHOD structure for a dedicated client.
 
-=item cosnt SSL_METHOD *B<TLSv1_server_method>(void);
+=item const SSL_METHOD *B<TLSv1_server_method>(void);
 
 Constructor for the TLSv1 SSL_METHOD structure for a dedicated server.
 
diff --git a/src/lib/libssl/src/engines/makeengines.com b/src/lib/libssl/src/engines/makeengines.com
index 6cf4236077..6329fbbf03 100644
--- a/src/lib/libssl/src/engines/makeengines.com
+++ b/src/lib/libssl/src/engines/makeengines.com
@@ -28,11 +28,35 @@ $!
 $!  P6	if defined, denotes which engines to build.  If not defined,
 $!	all available engines are built.
 $!
+$!  P7, if defined, specifies the C pointer size.  Ignored on VAX.
+$!      ("64=ARGV" gives more efficient code with HP C V7.3 or newer.)
+$!      Supported values are:
+$!
+$!	""	Compile with default (/NOPOINTER_SIZE)
+$!	32	Compile with /POINTER_SIZE=32 (SHORT)
+$!	64	Compile with /POINTER_SIZE=64[=ARGV] (LONG[=ARGV])
+$!               (Automatically select ARGV if compiler supports it.)
+$!      64=      Compile with /POINTER_SIZE=64 (LONG).
+$!      64=ARGV  Compile with /POINTER_SIZE=64=ARGV (LONG=ARGV).
+$!
+$!  P8, if defined, specifies a directory where ZLIB files (zlib.h,
+$!  libz.olb) may be found.  Optionally, a non-default object library
+$!  name may be included ("dev:[dir]libz_64.olb", for example).
+$!
 $!-----------------------------------------------------------------------------
 $!
+$! Announce/identify.
+$!
+$ proc = f$environment( "procedure")
+$ write sys$output "@@@ "+ -
+   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
+$!
+$ on control_c then goto exit
+$!
 $! Set the default TCP/IP library to link against if needed
 $!
 $ TCPIP_LIB = ""
+$ ZLIB_LIB = ""
 $!
 $! Check What Architecture We Are Using.
 $!
@@ -56,6 +80,11 @@ $! End The Architecture Check.
 $!
 $ ENDIF
 $!
+$ ARCHD = ARCH
+$ LIB32 = "32"
+$ OPT_FILE = ""
+$ POINTER_SIZE = ""
+$!
 $! Set the names of the engines we want to build
 $! NOTE: Some might think this list ugly.  However, it's made this way to
 $! reflect the LIBNAMES variable in Makefile as closely as possible,
@@ -72,28 +101,47 @@ $!
 $ IF (ARCH .NES. "VAX") THEN -
        ENGINES = ENGINES+ ",ccgost"
 $!
+$! Check options.
+$!
+$ OPT_PHASE = P1
+$ ACCEPT_PHASE = "ALL,ENGINES"
+$ OPT_DEBUG = P2
+$ OPT_COMPILER = P3
+$ OPT_TCPIP_LIB = P4
+$ OPT_SPECIAL_THREADS = P5
+$ OPT_POINTER_SIZE = P7
+$ ZLIB = P8
+$
+$ GOSUB CHECK_OPTIONS
+$!
 $! Set the goal directories, and create them if necessary
 $!
-$ OBJ_DIR := SYS$DISK:[-.'ARCH'.OBJ.ENGINES]
-$ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.ENGINES]
+$ OBJ_DIR := SYS$DISK:[-.'ARCHD'.OBJ.ENGINES]
+$ EXE_DIR := SYS$DISK:[-.'ARCHD'.EXE.ENGINES]
 $ IF F$PARSE(OBJ_DIR) .EQS. "" THEN CREATE/DIRECTORY 'OBJ_DIR'
 $ IF F$PARSE(EXE_DIR) .EQS. "" THEN CREATE/DIRECTORY 'EXE_DIR'
 $!
 $! Set the goal files, and create them if necessary
 $!
-$ CRYPTO_LIB :=SYS$DISK:[-.'ARCH'.EXE.CRYPTO]LIBCRYPTO.OLB
+$ CRYPTO_LIB := SYS$DISK:[-.'ARCHD'.EXE.CRYPTO]SSL_LIBCRYPTO'LIB32'.OLB
 $ IF F$SEARCH(CRYPTO_LIB) .EQS. "" THEN LIBRARY/CREATE/OBJECT 'CRYPTO_LIB'
 $!
-$! OK, time to check options and initialise
+$! Specify the destination directory in any /MAP option.
+$!
+$ if (LINKMAP .eqs. "MAP")
+$ then
+$   LINKMAP = LINKMAP+ "=''EXE_DIR'"
+$ endif
+$!
+$! Add the location prefix to the linker options file name.
+$!
+$ if (OPT_FILE .nes. "")
+$ then
+$   OPT_FILE = EXE_DIR+ OPT_FILE
+$ endif
+$!
+$! Initialise.
 $!
-$ OPT_PHASE = P1
-$ ACCEPT_PHASE = "ALL,ENGINES"
-$ OPT_DEBUG = P2
-$ OPT_COMPILER = P3
-$ OPT_TCPIP_LIB = P4
-$ OPT_SPECIAL_THREADS = P5
-$
-$ GOSUB CHECK_OPTIONS
 $ GOSUB INITIALISE
 $ GOSUB CHECK_OPT_FILE
 $!
@@ -172,7 +220,7 @@ $! Create a .OPT file for the object files (for a real engine name).
 $!
 $ IF ENGINE_NAME .NES. ""
 $ THEN
-$   OPEN/WRITE OBJECTS 'EXE_DIR''ENGINE_NAME'.OPT
+$   OPEN /WRITE OBJECTS 'EXE_DIR''ENGINE_NAME'.OPT
 $ ENDIF
 $!
 $! Here's the start of per-engine module loop.
@@ -257,18 +305,14 @@ $! For shareable libraries, we need to do things a little differently
 $! depending on if we link with a TCP/IP library or not.
 $!
 $ ENGINE_OPT := SYS$DISK:[]'ARCH'.OPT
-$ IF TCPIP_LIB .NES. ""
-$ THEN
-$   LINK/'DEBUGGER'/'TRACEBACK' /SHARE='EXE_DIR''ENGINE_NAME'.EXE -
-	'EXE_DIR''ENGINE_NAME'.OPT/OPTION'TV_OBJ', -
-	'CRYPTO_LIB'/LIBRARY, -
-	'ENGINE_OPT'/OPTION,'TCPIP_LIB','OPT_FILE'/OPTION
-$ ELSE
-$   LINK/'DEBUGGER'/'TRACEBACK' /SHARE='EXE_DIR''ENGINE_NAME'.EXE -
-	'EXE_DIR''ENGINE_NAME'.OPT/OPTION'TV_OBJ', -
-        'CRYPTO_LIB'/LIBRARY, -
-	'ENGINE_OPT'/OPTION,'OPT_FILE'/OPTION
-$ ENDIF
+$ LINK /'DEBUGGER' /'LINKMAP' /'TRACEBACK' /SHARE='EXE_DIR''ENGINE_NAME'.EXE -
+   'EXE_DIR''ENGINE_NAME'.OPT /OPTIONS -
+   'TV_OBJ', -
+   'CRYPTO_LIB' /LIBRARY, -
+   'ENGINE_OPT' /OPTIONS -
+   'TCPIP_LIB' -
+   'ZLIB_LIB' -
+   ,'OPT_FILE' /OPTIONS
 $!
 $! Next engine
 $!
@@ -302,7 +346,7 @@ $!
 $     CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File To Link Agianst 
+! Default System Options File To Link Against 
 ! The Sharable VAX C Runtime Library.
 !
 SYS$SHARE:VAXCRTL.EXE/SHARE
@@ -331,7 +375,7 @@ $!
 $     CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File To Link Agianst 
+! Default System Options File To Link Against 
 ! The Sharable C Runtime Library.
 !
 GNU_CC:[000000]GCCLIB/LIBRARY
@@ -366,7 +410,7 @@ $!
 $       CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File To Link Agianst 
+! Default System Options File To Link Against 
 ! The Sharable DEC C Runtime Library.
 !
 SYS$SHARE:DECC$SHR.EXE/SHARE
@@ -381,7 +425,7 @@ $!
 $       CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File For non-VAX To Link Agianst 
+! Default System Options File For non-VAX To Link Against 
 ! The Sharable C Runtime Library.
 !
 SYS$SHARE:CMA$OPEN_LIB_SHR/SHARE
@@ -453,8 +497,8 @@ $     IF ("," + ACCEPT_PHASE + ",") - ",ENGINES," -
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT " where 'xxx' stands for:"
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "    ALPHA    :  Alpha architecture."
-$     WRITE SYS$OUTPUT "    IA64     :  IA64 architecture."
+$     WRITE SYS$OUTPUT "    ALPHA[64]:  Alpha architecture."
+$     WRITE SYS$OUTPUT "    IA64[64] :  IA64 architecture."
 $     WRITE SYS$OUTPUT "    VAX      :  VAX architecture."
 $     WRITE SYS$OUTPUT ""
 $!
@@ -475,15 +519,16 @@ $!
 $ IF (OPT_DEBUG.EQS."NODEBUG")
 $ THEN
 $!
-$!   OPT_DEBUG Is NODEBUG, So Compile Without The Debugger Information.
+$!  OPT_DEBUG Is NODEBUG, So Compile Without The Debugger Information.
 $!
-$    DEBUGGER = "NODEBUG"
-$    TRACEBACK = "NOTRACEBACK" 
-$    GCC_OPTIMIZE = "OPTIMIZE"
-$    CC_OPTIMIZE = "OPTIMIZE"
-$    MACRO_OPTIMIZE = "OPTIMIZE"
-$    WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile."
-$    WRITE SYS$OUTPUT "Compiling With Compiler Optimization."
+$   DEBUGGER = "NODEBUG"
+$   LINKMAP = "NOMAP"
+$   TRACEBACK = "NOTRACEBACK" 
+$   GCC_OPTIMIZE = "OPTIMIZE"
+$   CC_OPTIMIZE = "OPTIMIZE"
+$   MACRO_OPTIMIZE = "OPTIMIZE"
+$   WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile."
+$   WRITE SYS$OUTPUT "Compiling With Compiler Optimization."
 $ ELSE
 $!
 $!  Check To See If We Are To Compile With Debugger Information.
@@ -494,6 +539,7 @@ $!
 $!    Compile With Debugger Information.
 $!
 $     DEBUGGER = "DEBUG"
+$     LINKMAP = "MAP"
 $     TRACEBACK = "TRACEBACK"
 $     GCC_OPTIMIZE = "NOOPTIMIZE"
 $     CC_OPTIMIZE = "NOOPTIMIZE"
@@ -502,7 +548,7 @@ $     WRITE SYS$OUTPUT "Debugger Information Will Be Produced During Compile."
 $     WRITE SYS$OUTPUT "Compiling Without Compiler Optimization."
 $   ELSE 
 $!
-$!    They Entered An Invalid Option..
+$!    They Entered An Invalid Option.
 $!
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "The Option ",OPT_DEBUG," Is Invalid.  The Valid Options Are:"
@@ -557,6 +603,59 @@ $! End The OPT_SPECIAL_THREADS Check.
 $!
 $ ENDIF
 $!
+$! Check OPT_POINTER_SIZE (P7).
+$!
+$ IF (OPT_POINTER_SIZE .NES. "") .AND. (ARCH .NES. "VAX")
+$ THEN
+$!
+$   IF (OPT_POINTER_SIZE .EQS. "32")
+$   THEN
+$     POINTER_SIZE = " /POINTER_SIZE=32"
+$   ELSE
+$     POINTER_SIZE = F$EDIT( OPT_POINTER_SIZE, "COLLAPSE, UPCASE")
+$     IF ((POINTER_SIZE .EQS. "64") .OR. -
+       (POINTER_SIZE .EQS. "64=") .OR. -
+       (POINTER_SIZE .EQS. "64=ARGV"))
+$     THEN
+$       ARCHD = ARCH+ "_64"
+$       LIB32 = ""
+$       POINTER_SIZE = " /POINTER_SIZE=64"
+$     ELSE
+$!
+$!      Tell The User Entered An Invalid Option.
+$!
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "The Option ", OPT_POINTER_SIZE, -
+         " Is Invalid.  The Valid Options Are:"
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT -
+         "    """"       :  Compile with default (short) pointers."
+$       WRITE SYS$OUTPUT -
+         "    32       :  Compile with 32-bit (short) pointers."
+$       WRITE SYS$OUTPUT -
+         "    64       :  Compile with 64-bit (long) pointers (auto ARGV)."
+$       WRITE SYS$OUTPUT -
+         "    64=      :  Compile with 64-bit (long) pointers (no ARGV)."
+$       WRITE SYS$OUTPUT -
+         "    64=ARGV  :  Compile with 64-bit (long) pointers (ARGV)."
+$       WRITE SYS$OUTPUT ""
+$! 
+$!      Time To EXIT.
+$!
+$       EXIT
+$!
+$     ENDIF
+$!
+$   ENDIF
+$!
+$! End The OPT_POINTER_SIZE Check.
+$!
+$ ENDIF
+$!
+$! Set basic C compiler /INCLUDE directories.
+$!
+$ CC_INCLUDES = "SYS$DISK:[],SYS$DISK:[.VENDOR_DEFNS]"
+$!
 $! Check To See If OPT_COMPILER Is Blank.
 $!
 $ IF (OPT_COMPILER.EQS."")
@@ -657,11 +756,63 @@ $ CCDEFS = "TCPIP_TYPE_''OPT_TCPIP_LIB',DSO_VMS"
 $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
-$ CCDISABLEWARNINGS = "LONGLONGTYPE,LONGLONGSUFX"
+$ CCDISABLEWARNINGS = "" !!! "LONGLONGTYPE,LONGLONGSUFX"
 $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
 	CCDISABLEWARNINGS = CCDISABLEWARNINGS + "," + USER_CCDISABLEWARNINGS
 $!
-$!  Check To See If The User Entered A Valid Paramter.
+$! Check To See If We Have A ZLIB Option.
+$!
+$ IF (ZLIB .NES. "")
+$ THEN
+$!
+$!  Check for expected ZLIB files.
+$!
+$   err = 0
+$   file1 = f$parse( "zlib.h", ZLIB, , , "SYNTAX_ONLY")
+$   if (f$search( file1) .eqs. "")
+$   then
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ", ZLIB, " Is Invalid."
+$     WRITE SYS$OUTPUT "    Can't find header: ''file1'"
+$     err = 1
+$   endif
+$   file1 = f$parse( "A.;", ZLIB)- "A.;"
+$!
+$   file2 = f$parse( ZLIB, "libz.olb", , , "SYNTAX_ONLY")
+$   if (f$search( file2) .eqs. "")
+$   then
+$     if (err .eq. 0)
+$     then
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "The Option ", ZLIB, " Is Invalid."
+$     endif
+$     WRITE SYS$OUTPUT "    Can't find library: ''file2'"
+$     WRITE SYS$OUTPUT ""
+$     err = err+ 2
+$   endif
+$   if (err .eq. 1)
+$   then
+$     WRITE SYS$OUTPUT ""
+$   endif
+$!
+$   if (err .ne. 0)
+$   then
+$     EXIT
+$   endif
+$!
+$   CCDEFS = """ZLIB=1"", "+ CCDEFS
+$   CC_INCLUDES = CC_INCLUDES+ ", "+ file1
+$   ZLIB_LIB = ", ''file2' /library"
+$!
+$!  Print info
+$!
+$   WRITE SYS$OUTPUT "ZLIB library spec: ", file2
+$!
+$! End The ZLIB Check.
+$!
+$ ENDIF
+$!
+$!  Check To See If The User Entered A Valid Parameter.
 $!
 $ IF (OPT_COMPILER.EQS."VAXC").OR.(OPT_COMPILER.EQS."DECC").OR.(OPT_COMPILER.EQS."GNUC")
 $ THEN
@@ -684,14 +835,14 @@ $!
 $     CC = "CC"
 $     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
 	 THEN CC = "CC/DECC"
-$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
-           "/NOLIST/PREFIX=ALL" + -
-	   "/INCLUDE=(SYS$DISK:[],SYS$DISK:[.VENDOR_DEFNS])" + -
-	   CCEXTRAFLAGS
+$     CC = CC + " /''CC_OPTIMIZE' /''DEBUGGER' /STANDARD=RELAXED"+ -
+       "''POINTER_SIZE' /NOLIST /PREFIX=ALL" + -
+       " /INCLUDE=(''CC_INCLUDES') " + -
+       CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
-$     OPT_FILE = "''EXE_DIR'VAX_DECC_OPTIONS.OPT"
+$     OPT_FILE = "VAX_DECC_OPTIONS.OPT"
 $!
 $!  End DECC Check.
 $!
@@ -720,7 +871,7 @@ $	EXIT
 $     ENDIF
 $     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-	   "/INCLUDE=(SYS$DISK:[],SYS$DISK:[-],SYS$DISK:[.ENGINE.VENDOR_DEFNS])" + -
+	   "/INCLUDE=(''CC_INCLUDES')" + -
 	   CCEXTRAFLAGS
 $     CCDEFS = """VAXC""," + CCDEFS
 $!
@@ -730,7 +881,7 @@ $     DEFINE/NOLOG SYS SYS$COMMON:[SYSLIB]
 $!
 $!    Define The Linker Options File Name.
 $!
-$     OPT_FILE = "''EXE_DIR'VAX_VAXC_OPTIONS.OPT"
+$     OPT_FILE = "VAX_VAXC_OPTIONS.OPT"
 $!
 $!  End VAXC Check
 $!
@@ -752,12 +903,12 @@ $!
 $!    Use GNU C...
 $!
 $     CC = "GCC/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-	   "/INCLUDE=(SYS$DISK:[],SYS$DISK:[-],SYS$DISK:[.ENGINE.VENDOR_DEFNS])" + -
+	   "/INCLUDE=(''CC_INCLUDES')" + -
 	   CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
-$     OPT_FILE = "''EXE_DIR'VAX_GNUC_OPTIONS.OPT"
+$     OPT_FILE = "VAX_GNUC_OPTIONS.OPT"
 $!
 $!  End The GNU C Check.
 $!
@@ -773,12 +924,12 @@ $   IF COMPILER .EQS. "DECC"
 $   THEN
 $     IF CCDISABLEWARNINGS .NES. ""
 $     THEN
-$       CCDISABLEWARNINGS = "/WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
+$       CCDISABLEWARNINGS = " /WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
 $     ENDIF
 $   ELSE
 $     CCDISABLEWARNINGS = ""
 $   ENDIF
-$   CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
+$   CC = CC + " /DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
 $!
 $!  Show user the result
 $!
@@ -808,8 +959,12 @@ $ ENDIF
 $!
 $! Build a MACRO command for the architecture at hand
 $!
-$ IF ARCH .EQS. "VAX" THEN MACRO = "MACRO/''DEBUGGER'"
-$ IF ARCH .NES. "VAX" THEN MACRO = "MACRO/MIGRATION/''DEBUGGER'/''MACRO_OPTIMIZE'"
+$ IF ARCH .EQS. "VAX"
+$ THEN
+$   MACRO = "MACRO/''DEBUGGER'"
+$ ELSE
+$   MACRO = "MACRO/MIGRATION/''DEBUGGER'/''MACRO_OPTIMIZE'"
+$ ENDIF
 $!
 $!  Show user the result
 $!
@@ -829,7 +984,7 @@ $   THEN
 $!
 $!    Set the library to use SOCKETSHR
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT/OPT"
+$     TCPIP_LIB = ",SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT /OPTIONS"
 $!
 $!    Done with SOCKETSHR
 $!
@@ -855,13 +1010,13 @@ $   THEN
 $!
 $!    Set the library to use UCX.
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT/OPT"
+$     TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT /OPTIONS"
 $     IF F$TRNLNM("UCX$IPC_SHR") .NES. ""
 $     THEN
-$       TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
+$       TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT /OPTIONS"
 $     ELSE
 $       IF COMPILER .NES. "DECC" .AND. ARCH .EQS. "VAX" THEN -
-	  TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT/OPT"
+	  TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT /OPTIONS"
 $     ENDIF
 $!
 $!    Done with UCX
@@ -875,7 +1030,7 @@ $   THEN
 $!
 $!    Set the library to use TCPIP (post UCX).
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT/OPT"
+$     TCPIP_LIB = ",SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT /OPTIONS"
 $!
 $!    Done with TCPIP
 $!
@@ -896,7 +1051,7 @@ $   ENDIF
 $!
 $!  Print info
 $!
-$   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB
+$   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB- ","
 $!
 $!  Else The User Entered An Invalid Argument.
 $!
@@ -939,7 +1094,7 @@ $ __INCLUDE = __TOP + "INCLUDE.OPENSSL]"
 $!
 $! Set up the logical name OPENSSL to point at the include directory
 $!
-$ DEFINE OPENSSL/NOLOG '__INCLUDE'
+$ DEFINE OPENSSL /NOLOG '__INCLUDE'
 $!
 $! Done
 $!
@@ -947,15 +1102,24 @@ $ RETURN
 $!
 $ CLEANUP:
 $!
-$! Restore the logical name OPENSSL if it had a value
+$! Restore the saved logical name OPENSSL, if it had a value.
 $!
-$ IF __SAVE_OPENSSL .EQS. ""
-$ THEN
-$   DEASSIGN OPENSSL
-$ ELSE
-$   DEFINE/NOLOG OPENSSL '__SAVE_OPENSSL'
-$ ENDIF
+$ if (f$type( __SAVE_OPENSSL) .nes. "")
+$ then
+$   IF __SAVE_OPENSSL .EQS. ""
+$   THEN
+$     DEASSIGN OPENSSL
+$   ELSE
+$     DEFINE /NOLOG OPENSSL '__SAVE_OPENSSL'
+$   ENDIF
+$ endif
+$!
+$! Close any open files.
+$!
+$ if (f$trnlnm( "objects", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
+   close objects
 $!
 $! Done
 $!
 $ RETURN
+$!
diff --git a/src/lib/libssl/src/install.com b/src/lib/libssl/src/install.com
index d15c23a832..6a0ea2d4de 100644
--- a/src/lib/libssl/src/install.com
+++ b/src/lib/libssl/src/install.com
@@ -3,99 +3,134 @@ $!
 $! Author: Richard Levitte <richard@levitte.org>
 $! Time of creation: 22-MAY-1998 10:13
 $!
-$! P1	root of the directory tree
-$!
-$	DEF_ORIG = F$ENVIRONMENT( "DEFAULT")
-$	ON ERROR THEN GOTO TIDY
-$	ON CONTROL_C THEN GOTO TIDY
-$
-$	IF P1 .EQS. ""
-$	THEN
-$	    WRITE SYS$OUTPUT "First argument missing."
-$	    WRITE SYS$OUTPUT -
-		  "It Should be the directory where you want things installed."
-$	    EXIT
-$	ENDIF
-$
-$	IF (F$GETSYI("CPU").LT.128)
-$	THEN
-$	    ARCH := VAX
-$	ELSE
-$	    ARCH = F$EDIT( F$GETSYI( "ARCH_NAME"), "UPCASE")
-$	    IF (ARCH .EQS. "") THEN ARCH = "UNK"
-$	ENDIF
-$
-$	ROOT = F$PARSE(P1,"[]A.;0",,,"SYNTAX_ONLY,NO_CONCEAL") - "A.;0"
-$	ROOT_DEV = F$PARSE(ROOT,,,"DEVICE","SYNTAX_ONLY")
-$	ROOT_DIR = F$PARSE(ROOT,,,"DIRECTORY","SYNTAX_ONLY") -
+$! P1  root of the directory tree
+$! P2  "64" for 64-bit pointers.
+$!
+$!
+$! Announce/identify.
+$!
+$ proc = f$environment( "procedure")
+$ write sys$output "@@@ "+ -
+   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
+$!
+$ def_orig = f$environment( "default")
+$ on error then goto tidy
+$ on control_c then goto tidy
+$!
+$ if (p1 .eqs. "")
+$ then
+$   write sys$output "First argument missing."
+$   write sys$output -
+     "It should be the directory where you want things installed."
+$   exit
+$ endif
+$!
+$ if (f$getsyi("cpu") .lt. 128)
+$ then
+$   arch = "VAX"
+$ else
+$   arch = f$edit( f$getsyi( "arch_name"), "upcase")
+$   if (arch .eqs. "") then arch = "UNK"
+$ endif
+$!
+$ archd = arch
+$!
+$ if (p2 .nes. "")
+$ then
+$   if (p2 .eqs. "64")
+$   then
+$     archd = arch+ "_64"
+$   else
+$     if (p2 .nes. "32")
+$     then
+$       write sys$output "Second argument invalid."
+$       write sys$output "It should be "32", "64", or nothing."
+$       exit
+$     endif
+$   endif
+$ endif
+$!
+$ root = f$parse( p1, "[]A.;0", , , "syntax_only, no_conceal") - "A.;0"
+$ root_dev = f$parse( root, , , "device", "syntax_only")
+$ root_dir = f$parse( root, , , "directory", "syntax_only") -
 		   - ".][000000" - "[000000." - "][" - "[" - "]"
-$	ROOT = ROOT_DEV + "[" + ROOT_DIR
-$
-$	DEFINE/NOLOG WRK_SSLROOT 'ROOT'.] /TRANS=CONC
-$	DEFINE/NOLOG WRK_SSLXLIB WRK_SSLROOT:['ARCH'_LIB]
-$	DEFINE/NOLOG WRK_SSLLIB WRK_SSLROOT:[LIB]
-$	DEFINE/NOLOG WRK_SSLINCLUDE WRK_SSLROOT:[INCLUDE]
-$	DEFINE/NOLOG WRK_SSLXEXE WRK_SSLROOT:['ARCH'_EXE]
-$	DEFINE/NOLOG WRK_SSLCERTS WRK_SSLROOT:[CERTS]
-$	DEFINE/NOLOG WRK_SSLPRIVATE WRK_SSLROOT:[PRIVATE]
-$
+$ root = root_dev + "[" + root_dir
+$!
+$ define /nolog wrk_sslroot 'root'.] /trans=conc
+$ define /nolog wrk_sslcerts wrk_sslroot:[certs]
+$ define /nolog wrk_sslinclude wrk_sslroot:[include]
+$ define /nolog wrk_ssllib wrk_sslroot:[lib]
+$ define /nolog wrk_sslprivate wrk_sslroot:[private]
+$ define /nolog wrk_sslxexe wrk_sslroot:['archd'_exe]
+$ define /nolog wrk_sslxlib wrk_sslroot:['arch'_lib]
 $!
 $! Exhibit the destination directory.
 $!
-$	WRITE SYS$OUTPUT "   Installing to (WRK_SSLROOT) ="
-$	WRITE SYS$OUTPUT "    ''f$trnlnm( "WRK_SSLROOT")'"
-$	WRITE SYS$OUTPUT ""
-$
-$	IF F$PARSE("WRK_SSLROOT:[000000]") .EQS. "" THEN -
-	   CREATE/DIR/LOG WRK_SSLROOT:[000000]
-$	IF F$PARSE("WRK_SSLXEXE:") .EQS. "" THEN -
-	   CREATE/DIR/LOG WRK_SSLXEXE:
-$	IF F$PARSE("WRK_SSLXLIB:") .EQS. "" THEN -
-	   CREATE/DIR/LOG WRK_SSLXLIB:
-$	IF F$PARSE("WRK_SSLLIB:") .EQS. "" THEN -
-	   CREATE/DIR/LOG WRK_SSLLIB:
-$	IF F$PARSE("WRK_SSLINCLUDE:") .EQS. "" THEN -
-	   CREATE/DIR/LOG WRK_SSLINCLUDE:
-$	IF F$PARSE("WRK_SSLCERTS:") .EQS. "" THEN -
-	   CREATE/DIR/LOG WRK_SSLCERTS:
-$	IF F$PARSE("WRK_SSLPRIVATE:") .EQS. "" THEN -
-	   CREATE/DIR/LOG WRK_SSLPRIVATE:
-$	IF F$PARSE("WRK_SSLROOT:[VMS]") .EQS. "" THEN -
-	   CREATE/DIR/LOG WRK_SSLROOT:[VMS]
-$
-$	SDIRS := CRYPTO,SSL,APPS,VMS!,RSAREF,TEST,TOOLS
-$	EXHEADER := e_os2.h
-$
-$	COPY 'EXHEADER' WRK_SSLINCLUDE: /LOG
-$	SET FILE/PROT=WORLD:RE WRK_SSLINCLUDE:'EXHEADER'
-$
-$	I = 0
-$ LOOP_SDIRS: 
-$	D = F$ELEMENT(I, ",", SDIRS)
-$	I = I + 1
-$	IF D .EQS. "," THEN GOTO LOOP_SDIRS_END
-$	WRITE SYS$OUTPUT "Installing ",D," files."
-$	SET DEFAULT [.'D']
-$	@INSTALL 'ROOT']
-$	SET DEFAULT [-]
-$	GOTO LOOP_SDIRS
-$ LOOP_SDIRS_END:
-$
-$	WRITE SYS$OUTPUT ""
-$	WRITE SYS$OUTPUT "	Installation done!"
-$	WRITE SYS$OUTPUT ""
-$	WRITE SYS$OUTPUT "	You might want to purge ",ROOT,"...]"
-$	WRITE SYS$OUTPUT ""
-$
-$ TIDY:
-$	SET DEFAULT 'DEF_ORIG'
-$
-$	DEASSIGN WRK_SSLROOT
-$	DEASSIGN WRK_SSLXLIB
-$	DEASSIGN WRK_SSLLIB
-$	DEASSIGN WRK_SSLINCLUDE
-$	DEASSIGN WRK_SSLXEXE
-$	DEASSIGN WRK_SSLCERTS
-$	DEASSIGN WRK_SSLPRIVATE
-$
-$	EXIT
+$ write sys$output "   Installing to (WRK_SSLROOT) ="
+$ write sys$output "    ''f$trnlnm( "wrk_sslroot")'"
+$ write sys$output ""
+$!
+$ if f$parse("wrk_sslroot:[000000]") .eqs. "" then -
+   create /directory /log wrk_sslroot:[000000]
+$ if f$parse("wrk_sslxexe:") .eqs. "" then -
+   create /directory /log wrk_sslxexe:
+$ if f$parse("wrk_sslxlib:") .eqs. "" then -
+   create /directory /log wrk_sslxlib:
+$ if f$parse("wrk_ssllib:") .eqs. "" then -
+   create /directory /log wrk_ssllib:
+$ if f$parse("wrk_sslinclude:") .eqs. "" then -
+   create /directory /log wrk_sslinclude:
+$ if f$parse("wrk_sslcerts:") .eqs. "" then -
+   create /directory /log wrk_sslcerts:
+$ if f$parse("wrk_sslprivate:") .eqs. "" then -
+   create /directory /log wrk_sslprivate:
+$ if f$parse("wrk_sslroot:[VMS]") .EQS. "" THEN -
+   create /directory /log wrk_sslroot:[VMS]
+$!
+$ sdirs := CRYPTO, SSL, APPS, VMS !!!, RSAREF, TEST, TOOLS
+$ exheader := e_os2.h
+$!
+$ copy /protection = w:re 'exheader' wrk_sslinclude: /log
+$!
+$ i = 0
+$ loop_sdirs: 
+$   d = f$edit( f$element(i, ",", sdirs), "trim")
+$   i = i + 1
+$   if d .eqs. "," then goto loop_sdirs_end
+$   write sys$output "Installing ", d, " files."
+$   set default [.'d']
+$   @ install-'d'.com 'root'] 'p2'
+$   set default 'def_orig'
+$ goto loop_sdirs
+$ loop_sdirs_end:
+$!
+$ write sys$output ""
+$ write sys$output "	Installation done!"
+$ write sys$output ""
+$ if (f$search( root+ "...]*.*;-1") .nes. "")
+$ then
+$   write sys$output "	You might want to purge ", root, "...]"
+$   write sys$output ""
+$ endif
+$!
+$ tidy:
+$!
+$ set default 'def_orig'
+$!
+$ call deass wrk_sslroot
+$ call deass wrk_sslcerts
+$ call deass wrk_sslinclude
+$ call deass wrk_ssllib
+$ call deass wrk_sslprivate
+$ call deass wrk_sslxexe
+$ call deass wrk_sslxlib
+$!
+$ exit
+$!
+$ deass: subroutine
+$ if (f$trnlnm( p1, "LNM$PROCESS") .nes. "")
+$ then
+$   deassign /process 'p1'
+$ endif
+$ endsubroutine
+$!
diff --git a/src/lib/libssl/src/makevms.com b/src/lib/libssl/src/makevms.com
index b46e69a423..eb22f20db2 100644
--- a/src/lib/libssl/src/makevms.com
+++ b/src/lib/libssl/src/makevms.com
@@ -15,7 +15,7 @@ $! The "xxx" denotes the machine architecture of ALPHA, IA64 or VAX.
 $!
 $! This procedures accepts two command line options listed below.
 $!
-$! Specify one of the following build options for P1.
+$! P1 specifies one of the following build options:
 $!
 $!      ALL       Just build "everything".
 $!      CONFIG    Just build the "[.CRYPTO._xxx]OPENSSLCONF.H" file.
@@ -31,14 +31,21 @@ $!      TEST      Just build the "[.xxx.EXE.TEST]" test programs for OpenSSL.
 $!      APPS      Just build the "[.xxx.EXE.APPS]" application programs for OpenSSL.
 $!      ENGINES   Just build the "[.xxx.EXE.ENGINES]" application programs for OpenSSL.
 $!
+$! P2, if defined, specifies the C pointer size.  Ignored on VAX.
+$!      ("64=ARGV" gives more efficient code with HP C V7.3 or newer.)
+$!      Supported values are:
 $!
-$! P2 is ignored (it was used to denote if RSAref should be used or not,
-$! and is simply kept so surrounding scripts don't get confused)
+$!      ""       Compile with default (/NOPOINTER_SIZE).
+$!      32       Compile with /POINTER_SIZE=32 (SHORT).
+$!      64       Compile with /POINTER_SIZE=64[=ARGV] (LONG[=ARGV]).
+$!               (Automatically select ARGV if compiler supports it.)
+$!      64=      Compile with /POINTER_SIZE=64 (LONG).
+$!      64=ARGV  Compile with /POINTER_SIZE=64=ARGV (LONG=ARGV).
 $!
-$! Specify DEBUG or NODEBUG as P3 to compile with or without debugging
-$! information.
+$! P3 specifies DEBUG or NODEBUG, to compile with or without debugging
+$!    information.
 $!
-$! Specify which compiler as P4 to try to compile under.
+$! P4 specifies which compiler to try to compile under.
 $!
 $!	  VAXC	 For VAX C.
 $!	  DECC	 For DEC C.
@@ -60,8 +67,18 @@ $!	NONE		to avoid specifying which TCP/IP implementation to
 $!			use at build time (this works with DEC C).  This is
 $!			the default.
 $!
-$! P6, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
+$! P6, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up).
 $!
+$! P7, if defined, specifies a directory where ZLIB files (zlib.h,
+$! libz.olb) may be found.  Optionally, a non-default object library
+$! name may be included ("dev:[dir]libz_64.olb", for example).
+$!
+$!
+$! Announce/identify.
+$!
+$ proc = f$environment( "procedure")
+$ write sys$output "@@@ "+ -
+   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
 $!
 $ DEF_ORIG = F$ENVIRONMENT( "DEFAULT")
 $ ON ERROR THEN GOTO TIDY
@@ -99,6 +116,10 @@ $! End The Architecture Check.
 $!
 $ ENDIF
 $!
+$ ARCHD = ARCH
+$ LIB32 = "32"
+$ POINTER_SIZE = ""
+$!
 $! Get VMS version.
 $!
 $ VMS_VERSION = f$edit( f$getsyi( "VERSION"), "TRIM")
@@ -173,12 +194,12 @@ $ CONFIG:
 $!
 $! Tell The User We Are Creating The [.CRYPTO._xxx]OPENSSLCONF.H File.
 $!
-$ WRITE SYS$OUTPUT "Creating [.CRYPTO._''ARCH']OPENSSLCONF.H Include File."
+$ WRITE SYS$OUTPUT "Creating [.CRYPTO.''ARCHD']OPENSSLCONF.H Include File."
 $!
 $! First, make sure the directory exists.
 $!
-$ IF F$PARSE("SYS$DISK:[.CRYPTO._''ARCH']") .EQS. "" THEN -
-     CREATE/DIRECTORY SYS$DISK:[.CRYPTO._'ARCH']
+$ IF F$PARSE("SYS$DISK:[.CRYPTO.''ARCHD']") .EQS. "" THEN -
+     CREATE/DIRECTORY SYS$DISK:[.CRYPTO.'ARCHD']
 $!
 $! Different tar/UnZip versions/option may have named the file differently
 $ IF F$SEARCH("[.crypto]opensslconf.h_in") .NES. ""
@@ -204,7 +225,7 @@ $!
 $! Create The [.CRYPTO._xxx]OPENSSLCONF.H File.
 $! Make sure it has the right format.
 $!
-$ OSCH_NAME = "SYS$DISK:[.CRYPTO._''ARCH']OPENSSLCONF.H"
+$ OSCH_NAME = "SYS$DISK:[.CRYPTO.''ARCHD']OPENSSLCONF.H"
 $ CREATE /FDL=SYS$INPUT: 'OSCH_NAME'
 RECORD
         FORMAT stream_lf
@@ -223,7 +244,7 @@ $ WRITE H_FILE "# define OPENSSL_SYS_VMS"
 $ WRITE H_FILE "#endif"
 $
 $! One of the best way to figure out what the list should be is to do
-$! the followin on a Unix system:
+$! the following on a Unix system:
 $!   grep OPENSSL_NO_ crypto/*/*.h ssl/*.h engines/*.h engines/*/*.h|grep ':# *if'|sed -e 's/^.*def //'|sort|uniq
 $! For that reason, the list will also always end up in alphabetical order
 $ CONFIG_LOGICALS := AES,-
@@ -321,7 +342,7 @@ $
 $! Architecture specific rule addtions
 $ IF ARCH .EQS. "VAX"
 $ THEN
-$   ! Disable algorithms that require 64 bit integers in C
+$   ! Disable algorithms that require 64-bit integers in C
 $   CONFIG_DISABLE_RULES = CONFIG_DISABLE_RULES + -
 			   ";/GOST" + -
 			   ";/WHIRLPOOL"
@@ -350,7 +371,8 @@ $
 $! Apply cascading disable rules
 $ CONFIG_DISABLE_I = 0
 $ CONFIG_DISABLE_LOOP0:
-$   CONFIG_DISABLE_E = F$EDIT(F$ELEMENT(CONFIG_DISABLE_I,";",CONFIG_DISABLE_RULES),"TRIM")
+$   CONFIG_DISABLE_E = F$EDIT(F$ELEMENT(CONFIG_DISABLE_I,";", -
+     CONFIG_DISABLE_RULES),"TRIM")
 $   CONFIG_DISABLE_I = CONFIG_DISABLE_I + 1
 $   IF CONFIG_DISABLE_E .EQS. "" THEN GOTO CONFIG_DISABLE_LOOP0
 $   IF CONFIG_DISABLE_E .EQS. ";" THEN GOTO CONFIG_DISABLE_LOOP0_END
@@ -360,7 +382,8 @@ $   CONFIG_DISABLE_DEPENDENTS = F$EDIT(F$ELEMENT(1,"/",CONFIG_DISABLE_E),"TRIM")
 $   TO_DISABLE := YES
 $   CONFIG_ALGO_I = 0
 $   CONFIG_DISABLE_LOOP1:
-$     CONFIG_ALGO_E = F$EDIT(F$ELEMENT(CONFIG_ALGO_I,",",CONFIG_DISABLE_ALGOS),"TRIM")
+$     CONFIG_ALGO_E = F$EDIT(F$ELEMENT(CONFIG_ALGO_I,",", -
+       CONFIG_DISABLE_ALGOS),"TRIM")
 $     CONFIG_ALGO_I = CONFIG_ALGO_I + 1
 $     IF CONFIG_ALGO_E .EQS. "" THEN GOTO CONFIG_DISABLE_LOOP1
 $     IF CONFIG_ALGO_E .EQS. "," THEN GOTO CONFIG_DISABLE_LOOP1_END
@@ -377,7 +400,8 @@ $   IF TO_DISABLE
 $   THEN
 $     CONFIG_DEPENDENT_I = 0
 $     CONFIG_DISABLE_LOOP2:
-$	CONFIG_DEPENDENT_E = F$EDIT(F$ELEMENT(CONFIG_DEPENDENT_I,",",CONFIG_DISABLE_DEPENDENTS),"TRIM")
+$	CONFIG_DEPENDENT_E = F$EDIT(F$ELEMENT(CONFIG_DEPENDENT_I,",", -
+         CONFIG_DISABLE_DEPENDENTS),"TRIM")
 $	CONFIG_DEPENDENT_I = CONFIG_DEPENDENT_I + 1
 $	IF CONFIG_DEPENDENT_E .EQS. "" THEN GOTO CONFIG_DISABLE_LOOP2
 $	IF CONFIG_DEPENDENT_E .EQS. "," THEN GOTO CONFIG_DISABLE_LOOP2_END
@@ -385,7 +409,8 @@ $       CONFIG_DISABLED_'CONFIG_DEPENDENT_E' := YES
 $       CONFIG_ENABLED_'CONFIG_DEPENDENT_E' := NO
 $	! Better not to assume defaults at this point...
 $	CONFIG_CHANGED_'CONFIG_DEPENDENT_E' := YES
-$	WRITE SYS$ERROR "''CONFIG_DEPENDENT_E' disabled by rule ''CONFIG_DISABLE_E'"
+$	WRITE SYS$ERROR -
+         "''CONFIG_DEPENDENT_E' disabled by rule ''CONFIG_DISABLE_E'"
 $	GOTO CONFIG_DISABLE_LOOP2
 $     CONFIG_DISABLE_LOOP2_END:
 $   ENDIF
@@ -395,7 +420,8 @@ $
 $! Apply cascading enable rules
 $ CONFIG_ENABLE_I = 0
 $ CONFIG_ENABLE_LOOP0:
-$   CONFIG_ENABLE_E = F$EDIT(F$ELEMENT(CONFIG_ENABLE_I,";",CONFIG_ENABLE_RULES),"TRIM")
+$   CONFIG_ENABLE_E = F$EDIT(F$ELEMENT(CONFIG_ENABLE_I,";", -
+     CONFIG_ENABLE_RULES),"TRIM")
 $   CONFIG_ENABLE_I = CONFIG_ENABLE_I + 1
 $   IF CONFIG_ENABLE_E .EQS. "" THEN GOTO CONFIG_ENABLE_LOOP0
 $   IF CONFIG_ENABLE_E .EQS. ";" THEN GOTO CONFIG_ENABLE_LOOP0_END
@@ -405,7 +431,8 @@ $   CONFIG_ENABLE_DEPENDENTS = F$EDIT(F$ELEMENT(1,"/",CONFIG_ENABLE_E),"TRIM")
 $   TO_ENABLE := YES
 $   CONFIG_ALGO_I = 0
 $   CONFIG_ENABLE_LOOP1:
-$     CONFIG_ALGO_E = F$EDIT(F$ELEMENT(CONFIG_ALGO_I,",",CONFIG_ENABLE_ALGOS),"TRIM")
+$     CONFIG_ALGO_E = F$EDIT(F$ELEMENT(CONFIG_ALGO_I,",", -
+       CONFIG_ENABLE_ALGOS),"TRIM")
 $     CONFIG_ALGO_I = CONFIG_ALGO_I + 1
 $     IF CONFIG_ALGO_E .EQS. "" THEN GOTO CONFIG_ENABLE_LOOP1
 $     IF CONFIG_ALGO_E .EQS. "," THEN GOTO CONFIG_ENABLE_LOOP1_END
@@ -422,7 +449,8 @@ $   IF TO_ENABLE
 $   THEN
 $     CONFIG_DEPENDENT_I = 0
 $     CONFIG_ENABLE_LOOP2:
-$	CONFIG_DEPENDENT_E = F$EDIT(F$ELEMENT(CONFIG_DEPENDENT_I,",",CONFIG_ENABLE_DEPENDENTS),"TRIM")
+$	CONFIG_DEPENDENT_E = F$EDIT(F$ELEMENT(CONFIG_DEPENDENT_I,",", -
+         CONFIG_ENABLE_DEPENDENTS),"TRIM")
 $	CONFIG_DEPENDENT_I = CONFIG_DEPENDENT_I + 1
 $	IF CONFIG_DEPENDENT_E .EQS. "" THEN GOTO CONFIG_ENABLE_LOOP2
 $	IF CONFIG_DEPENDENT_E .EQS. "," THEN GOTO CONFIG_ENABLE_LOOP2_END
@@ -430,7 +458,8 @@ $       CONFIG_DISABLED_'CONFIG_DEPENDENT_E' := NO
 $       CONFIG_ENABLED_'CONFIG_DEPENDENT_E' := YES
 $	! Better not to assume defaults at this point...
 $	CONFIG_CHANGED_'CONFIG_DEPENDENT_E' := YES
-$	WRITE SYS$ERROR "''CONFIG_DEPENDENT_E' enabled by rule ''CONFIG_ENABLE_E'"
+$	WRITE SYS$ERROR -
+         "''CONFIG_DEPENDENT_E' enabled by rule ''CONFIG_ENABLE_E'"
 $	GOTO CONFIG_ENABLE_LOOP2
 $     CONFIG_ENABLE_LOOP2_END:
 $   ENDIF
@@ -460,6 +489,17 @@ $   ENDIF
 $   GOTO CONFIG_LOG_LOOP2
 $ CONFIG_LOG_LOOP2_END:
 $!
+$ WRITE H_FILE ""
+$ WRITE H_FILE "/* 2011-02-23 SMS."
+$ WRITE H_FILE " * On VMS (V8.3), setvbuf() doesn't support a 64-bit"
+$ WRITE H_FILE " * ""in"" pointer, and the help says:"
+$ WRITE H_FILE " *       Please note that the previously documented"
+$ WRITE H_FILE " *       value _IONBF is not supported."
+$ WRITE H_FILE " * So, skip it on VMS."
+$ WRITE H_FILE " */"
+$ WRITE H_FILE "#define OPENSSL_NO_SETVBUF_IONBF"
+$ WRITE H_FILE ""
+$!
 $! Add in the common "crypto/opensslconf.h.in".
 $!
 $ TYPE 'OPENSSLCONF_H_IN' /OUTPUT=H_FILE:
@@ -552,7 +592,7 @@ $ CLOSE H_FILE
 $!
 $! Purge The [.CRYPTO._xxx]OPENSSLCONF.H file
 $!
-$ PURGE SYS$DISK:[.CRYPTO._'ARCH']OPENSSLCONF.H
+$ PURGE SYS$DISK:[.CRYPTO.'ARCHD']OPENSSLCONF.H
 $!
 $! That's All, Time To RETURN.
 $!
@@ -564,11 +604,11 @@ $ BUILDINF:
 $!
 $! Tell The User We Are Creating The [.CRYPTO._xxx]BUILDINF.H File.
 $!
-$ WRITE SYS$OUTPUT "Creating [.CRYPTO._''ARCH']BUILDINF.H Include File."
+$ WRITE SYS$OUTPUT "Creating [.CRYPTO.''ARCHD']BUILDINF.H Include File."
 $!
 $! Create The [.CRYPTO._xxx]BUILDINF.H File.
 $!
-$ BIH_NAME = "SYS$DISK:[.CRYPTO._''ARCH']BUILDINF.H"
+$ BIH_NAME = "SYS$DISK:[.CRYPTO.''ARCHD']BUILDINF.H"
 $ CREATE /FDL=SYS$INPUT: 'BIH_NAME'
 RECORD
         FORMAT stream_lf
@@ -581,8 +621,19 @@ $ TIME = F$TIME()
 $!
 $! Write The [.CRYPTO._xxx]BUILDINF.H File.
 $!
-$ WRITE H_FILE "#define CFLAGS """" /* Not filled in for now */"
-$ WRITE H_FILE "#define PLATFORM ""VMS ''ARCH' ''VMS_VERSION'"""
+$ CFLAGS = ""
+$ if (POINTER_SIZE .nes. "")
+$ then
+$   CFLAGS = CFLAGS+ "/POINTER_SIZE=''POINTER_SIZE'"
+$ endif
+$ if (ZLIB .nes. "")
+$ then
+$   if (CFLAGS .nes. "") then CFLAGS = CFLAGS+ " "
+$   CFLAGS = CFLAGS+ "/DEFINE=ZLIB"
+$ endif
+$! 
+$ WRITE H_FILE "#define CFLAGS ""''CFLAGS'"""
+$ WRITE H_FILE "#define PLATFORM ""VMS ''ARCHD' ''VMS_VERSION'"""
 $ WRITE H_FILE "#define DATE ""''TIME'"" "
 $!
 $! Close The [.CRYPTO._xxx]BUILDINF.H File.
@@ -591,7 +642,12 @@ $ CLOSE H_FILE
 $!
 $! Purge The [.CRYPTO._xxx]BUILDINF.H File.
 $!
-$ PURGE SYS$DISK:[.CRYPTO._'ARCH']BUILDINF.H
+$ PURGE SYS$DISK:[.CRYPTO.'ARCHD']BUILDINF.H
+$!
+$! Delete [.CRYPTO]BUILDINF.H File, as there might be some residue from Unix.
+$!
+$ IF F$SEARCH("[.CRYPTO]BUILDINF.H") .NES. "" THEN -
+     DELETE SYS$DISK:[.CRYPTO]BUILDINF.H;*
 $!
 $! That's All, Time To RETURN.
 $!
@@ -601,44 +657,58 @@ $! Copy a lot of files around.
 $!
 $ SOFTLINKS: 
 $!
-$! Tell The User We Are Partly Rebuilding The [.APPS] Directory.
-$!
-$ WRITE SYS$OUTPUT "Rebuilding The '[.APPS]MD4.C' File."
-$!
-$ DELETE SYS$DISK:[.APPS]MD4.C;*
-$!
-$! Copy MD4.C from [.CRYPTO.MD4] into [.APPS]
-$!
-$ COPY SYS$DISK:[.CRYPTO.MD4]MD4.C SYS$DISK:[.APPS]
-$!
-$! Tell The User We Are Rebuilding The [.INCLUDE.OPENSSL] Directory.
-$!
-$ WRITE SYS$OUTPUT "Rebuilding The '[.INCLUDE.OPENSSL]' Directory."
-$!
-$! First, make sure the directory exists
-$!
-$ IF F$PARSE("SYS$DISK:[.INCLUDE.OPENSSL]") .EQS. "" THEN -
-     CREATE/DIRECTORY SYS$DISK:[.INCLUDE.OPENSSL]
+$!!!! Tell The User We Are Partly Rebuilding The [.APPS] Directory.
+$!!!!
+$!!! WRITE SYS$OUTPUT "Rebuilding The '[.APPS]MD4.C' File."
+$!!!!
+$!!! DELETE SYS$DISK:[.APPS]MD4.C;*
+$!!!!
+$!!!! Copy MD4.C from [.CRYPTO.MD4] into [.APPS]
+$!!!!
+$!!! COPY SYS$DISK:[.CRYPTO.MD4]MD4.C SYS$DISK:[.APPS]
+$!
+$! Ensure that the [.include.openssl] directory contains a full set of
+$! real header files.  The distribution kit may have left real or fake
+$! symlinks there.  Rather than think about what's there, simply delete
+$! the destination files (fake or real symlinks) before copying the real
+$! header files in.  (Copying a real header file onto a real symlink
+$! merely duplicates the real header file at its source.)
+$!
+$! Tell The User We Are Rebuilding The [.include.openssl] Directory.
+$!
+$ WRITE SYS$OUTPUT "Rebuilding The '[.include.openssl]' Directory."
+$!
+$! First, make sure the directory exists.  If it did exist, delete all
+$! the existing header files (or fake or real symlinks).
+$!
+$ if f$parse( "sys$disk:[.include.openssl]") .eqs. ""
+$ then
+$   create /directory sys$disk:[.include.openssl]
+$ else
+$   delete sys$disk:[.include.openssl]*.h;*
+$ endif
 $!
 $! Copy All The ".H" Files From The Main Directory.
 $!
 $ EXHEADER := e_os2.h
-$ COPY 'EXHEADER' SYS$DISK:[.INCLUDE.OPENSSL]
+$ copy 'exheader' sys$disk:[.include.openssl]
 $!
 $! Copy All The ".H" Files From The [.CRYPTO] Directory Tree.
 $!
-$ SDIRS := ,-
-   _'ARCH',-
-   OBJECTS,-
-   MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,WHRLPOOL,-
-   DES,AES,RC2,RC4,RC5,IDEA,BF,CAST,CAMELLIA,SEED,MODES,-
-   BN,EC,RSA,DSA,ECDSA,DH,ECDH,DSO,ENGINE,-
-   BUFFER,BIO,STACK,LHASH,RAND,ERR,-
-   EVP,ASN1,PEM,X509,X509V3,CONF,TXT_DB,PKCS7,PKCS12,COMP,OCSP,UI,KRB5,-
-   STORE,CMS,PQUEUE,TS,JPAKE
-$ EXHEADER_ := crypto.h,opensslv.h,ebcdic.h,symhacks.h,ossl_typ.h
-$ EXHEADER__'ARCH' := opensslconf.h
-$ EXHEADER_OBJECTS := objects.h,obj_mac.h
+$ SDIRS := , -
+   'ARCHD', -
+   OBJECTS, -
+   MD2, MD4, MD5, SHA, MDC2, HMAC, RIPEMD, WHRLPOOL, -
+   DES, AES, RC2, RC4, RC5, IDEA, BF, CAST, CAMELLIA, SEED, MODES, -
+   BN, EC, RSA, DSA, ECDSA, DH, ECDH, DSO, ENGINE, -
+   BUFFER, BIO, STACK, LHASH, RAND, ERR, -
+   EVP, ASN1, PEM, X509, X509V3, CONF, TXT_DB, PKCS7, PKCS12, -
+   COMP, OCSP, UI, KRB5, -
+   STORE, CMS, PQUEUE, TS, JPAKE
+$!
+$ EXHEADER_ := crypto.h, opensslv.h, ebcdic.h, symhacks.h, ossl_typ.h
+$ EXHEADER_'ARCHD' := opensslconf.h
+$ EXHEADER_OBJECTS := objects.h, obj_mac.h
 $ EXHEADER_MD2 := md2.h
 $ EXHEADER_MD4 := md4.h
 $ EXHEADER_MD5 := md5.h
@@ -647,7 +717,7 @@ $ EXHEADER_MDC2 := mdc2.h
 $ EXHEADER_HMAC := hmac.h
 $ EXHEADER_RIPEMD := ripemd.h
 $ EXHEADER_WHRLPOOL := whrlpool.h
-$ EXHEADER_DES := des.h,des_old.h
+$ EXHEADER_DES := des.h, des_old.h
 $ EXHEADER_AES := aes.h
 $ EXHEADER_RC2 := rc2.h
 $ EXHEADER_RC4 := rc4.h
@@ -669,66 +739,64 @@ $ EXHEADER_DSO := dso.h
 $ EXHEADER_ENGINE := engine.h
 $ EXHEADER_BUFFER := buffer.h
 $ EXHEADER_BIO := bio.h
-$ EXHEADER_STACK := stack.h,safestack.h
+$ EXHEADER_STACK := stack.h, safestack.h
 $ EXHEADER_LHASH := lhash.h
 $ EXHEADER_RAND := rand.h
 $ EXHEADER_ERR := err.h
 $ EXHEADER_EVP := evp.h
-$ EXHEADER_ASN1 := asn1.h,asn1_mac.h,asn1t.h
-$ EXHEADER_PEM := pem.h,pem2.h
-$ EXHEADER_X509 := x509.h,x509_vfy.h
+$ EXHEADER_ASN1 := asn1.h, asn1_mac.h, asn1t.h
+$ EXHEADER_PEM := pem.h, pem2.h
+$ EXHEADER_X509 := x509.h, x509_vfy.h
 $ EXHEADER_X509V3 := x509v3.h
-$ EXHEADER_CONF := conf.h,conf_api.h
+$ EXHEADER_CONF := conf.h, conf_api.h
 $ EXHEADER_TXT_DB := txt_db.h
 $ EXHEADER_PKCS7 := pkcs7.h
 $ EXHEADER_PKCS12 := pkcs12.h
 $ EXHEADER_COMP := comp.h
 $ EXHEADER_OCSP := ocsp.h
-$ EXHEADER_UI := ui.h,ui_compat.h
+$ EXHEADER_UI := ui.h, ui_compat.h
 $ EXHEADER_KRB5 := krb5_asn.h
-$!EXHEADER_STORE := store.h,str_compat.h
+$!!! EXHEADER_STORE := store.h, str_compat.h
 $ EXHEADER_STORE := store.h
 $ EXHEADER_CMS := cms.h
 $ EXHEADER_PQUEUE := pqueue.h
 $ EXHEADER_TS := ts.h
 $ EXHEADER_JPAKE := jpake.h
-$
-$ I = 0
-$ LOOP_SDIRS: 
-$ D = F$EDIT(F$ELEMENT(I, ",", SDIRS),"TRIM")
-$ I = I + 1
-$ IF D .EQS. "," THEN GOTO LOOP_SDIRS_END
-$ tmp = EXHEADER_'D'
-$ IF D .EQS. ""
-$ THEN
-$   COPY [.CRYPTO]'tmp' SYS$DISK:[.INCLUDE.OPENSSL] !/LOG
-$ ELSE
-$   COPY [.CRYPTO.'D']'tmp' SYS$DISK:[.INCLUDE.OPENSSL] !/LOG
-$ ENDIF
-$ GOTO LOOP_SDIRS
-$ LOOP_SDIRS_END:
+$!
+$ i = 0
+$ loop_sdirs:
+$   sdir = f$edit( f$element( i, ",", sdirs), "trim")
+$   i = i + 1
+$   if (sdir .eqs. ",") then goto loop_sdirs_end
+$   hdr_list = exheader_'sdir'
+$   if (sdir .nes. "") then sdir = "."+ sdir
+$   copy [.crypto'sdir']'hdr_list' sys$disk:[.include.openssl]
+$ goto loop_sdirs
+$ loop_sdirs_end:
 $!
 $! Copy All The ".H" Files From The [.SSL] Directory.
 $!
-$ EXHEADER := ssl.h,ssl2.h,ssl3.h,ssl23.h,tls1.h,dtls1.h,kssl.h
-$ COPY SYS$DISK:[.SSL]'EXHEADER' SYS$DISK:[.INCLUDE.OPENSSL]
+$! (keep these in the same order as ssl/Makefile)
+$ EXHEADER := ssl.h, ssl2.h, ssl3.h, ssl23.h, tls1.h, dtls1.h, kssl.h
+$ copy sys$disk:[.ssl]'exheader' sys$disk:[.include.openssl]
 $!
-$! Purge all doubles
+$! Purge the [.include.openssl] header files.
 $!
-$ PURGE SYS$DISK:[.INCLUDE.OPENSSL]*.H
+$ purge sys$disk:[.include.openssl]*.h
 $!
 $! That's All, Time To RETURN.
 $!
 $ RETURN
 $!
-$! Build The "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" Library.
+$! Build The "[.xxx.EXE.CRYPTO]SSL_LIBCRYPTO''LIB32'.OLB" Library.
 $!
 $ CRYPTO:
 $!
 $! Tell The User What We Are Doing.
 $!
 $ WRITE SYS$OUTPUT ""
-$ WRITE SYS$OUTPUT "Building The [.",ARCH,".EXE.CRYPTO]LIBCRYPTO.OLB Library."
+$ WRITE SYS$OUTPUT -
+   "Building The [.",ARCHD,".EXE.CRYPTO]SSL_LIBCRYPTO''LIB32'.OLB Library."
 $!
 $! Go To The [.CRYPTO] Directory.
 $!
@@ -736,11 +804,13 @@ $ SET DEFAULT SYS$DISK:[.CRYPTO]
 $!
 $! Build The [.xxx.EXE.CRYPTO]LIBCRYPTO.OLB Library.
 $!  
-$ @CRYPTO-LIB LIBRARY 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" "''ISSEVEN'" "''BUILDPART'"
+$ @CRYPTO-LIB LIBRARY 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" -
+   "''ISSEVEN'" "''BUILDPART'" "''POINTER_SIZE'" "''ZLIB'"
 $!
 $! Build The [.xxx.EXE.CRYPTO]*.EXE Test Applications.
 $!  
-$ @CRYPTO-LIB APPS 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" 'ISSEVEN' "''BUILDPART'"
+$ @CRYPTO-LIB APPS 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" -
+   "''ISSEVEN'" "''BUILDPART'" "''POINTER_SIZE'" "''ZLIB'"
 $!
 $! Go Back To The Main Directory.
 $!
@@ -750,14 +820,15 @@ $! Time To RETURN.
 $!
 $ RETURN
 $!
-$! Build The "[.xxx.EXE.SSL]LIBSSL.OLB" Library.
+$! Build The "[.xxx.EXE.SSL]SSL_LIBSSL''LIB32'.OLB" Library.
 $!
 $ SSL:
 $!
 $! Tell The User What We Are Doing.
 $!
 $ WRITE SYS$OUTPUT ""
-$ WRITE SYS$OUTPUT "Building The [.",ARCH,".EXE.SSL]LIBSSL.OLB Library."
+$ WRITE SYS$OUTPUT -
+   "Building The [.",ARCHD,".EXE.SSL]SSL_LIBSSL''LIB32'.OLB Library."
 $!
 $! Go To The [.SSL] Directory.
 $!
@@ -765,7 +836,8 @@ $ SET DEFAULT SYS$DISK:[.SSL]
 $!
 $! Build The [.xxx.EXE.SSL]LIBSSL.OLB Library.
 $!
-$ @SSL-LIB LIBRARY 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" 'ISSEVEN'
+$ @SSL-LIB LIBRARY 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" -
+   "''ISSEVEN'" "''POINTER_SIZE'" "''ZLIB'"
 $!
 $! Go Back To The Main Directory.
 $!
@@ -782,7 +854,8 @@ $!
 $! Tell The User What We Are Doing.
 $!
 $ WRITE SYS$OUTPUT ""
-$ WRITE SYS$OUTPUT "Building DECNet Based SSL Engine, [.",ARCH,".EXE.SSL]SSL_TASK.EXE"
+$ WRITE SYS$OUTPUT -
+   "Building DECNet Based SSL Engine, [.",ARCHD,".EXE.SSL]SSL_TASK.EXE"
 $!
 $! Go To The [.SSL] Directory.
 $!
@@ -790,7 +863,8 @@ $ SET DEFAULT SYS$DISK:[.SSL]
 $!
 $! Build The [.xxx.EXE.SSL]SSL_TASK.EXE
 $!
-$ @SSL-LIB SSL_TASK 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" 'ISSEVEN'
+$ @SSL-LIB SSL_TASK 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" -
+   "''ISSEVEN'" "''POINTER_SIZE'" "''ZLIB'"
 $!
 $! Go Back To The Main Directory.
 $!
@@ -807,7 +881,7 @@ $!
 $! Tell The User What We Are Doing.
 $!
 $ WRITE SYS$OUTPUT ""
-$ WRITE SYS$OUTPUT "Building The OpenSSL [.",ARCH,".EXE.TEST] Test Utilities."
+$ WRITE SYS$OUTPUT "Building The OpenSSL [.",ARCHD,".EXE.TEST] Test Utilities."
 $!
 $! Go To The [.TEST] Directory.
 $!
@@ -815,7 +889,8 @@ $ SET DEFAULT SYS$DISK:[.TEST]
 $!
 $! Build The Test Programs.
 $!
-$ @MAKETESTS 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" 'ISSEVEN'
+$ @MAKETESTS 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" "''ISSEVEN'" -
+   "''POINTER_SIZE'" "''ZLIB'"
 $!
 $! Go Back To The Main Directory.
 $!
@@ -832,7 +907,7 @@ $!
 $! Tell The User What We Are Doing.
 $!
 $ WRITE SYS$OUTPUT ""
-$ WRITE SYS$OUTPUT "Building OpenSSL [.",ARCH,".EXE.APPS] Applications."
+$ WRITE SYS$OUTPUT "Building OpenSSL [.",ARCHD,".EXE.APPS] Applications."
 $!
 $! Go To The [.APPS] Directory.
 $!
@@ -840,7 +915,8 @@ $ SET DEFAULT SYS$DISK:[.APPS]
 $!
 $! Build The Application Programs.
 $!
-$ @MAKEAPPS 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" 'ISSEVEN'
+$ @MAKEAPPS 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" "''ISSEVEN'" -
+   "" "''POINTER_SIZE'" "''ZLIB'"
 $!
 $! Go Back To The Main Directory.
 $!
@@ -857,7 +933,7 @@ $!
 $! Tell The User What We Are Doing.
 $!
 $ WRITE SYS$OUTPUT ""
-$ WRITE SYS$OUTPUT "Building OpenSSL [.",ARCH,".EXE.ENGINES] Engines."
+$ WRITE SYS$OUTPUT "Building OpenSSL [.",ARCHD,".EXE.ENGINES] Engines."
 $!
 $! Go To The [.ENGINES] Directory.
 $!
@@ -865,7 +941,8 @@ $ SET DEFAULT SYS$DISK:[.ENGINES]
 $!
 $! Build The Application Programs.
 $!
-$ @MAKEENGINES ENGINES 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" 'ISSEVEN' "''BUILDPART'"
+$ @MAKEENGINES ENGINES 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" -
+   "''ISSEVEN'" "''BUILDPART'" "''POINTER_SIZE'" "''ZLIB'"
 $!
 $! Go Back To The Main Directory.
 $!
@@ -922,9 +999,9 @@ $!
 $!    Tell The User We Don't Know What They Want.
 $!
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "USAGE:   @MAKEVMS.COM [Target] [not-used option] [Debug option] <Compiler>"
+$     WRITE SYS$OUTPUT "USAGE:   @MAKEVMS.COM [Target] [Pointer size] [Debug option] <Compiler>"
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "Example: @MAKEVMS.COM ALL NORSAREF NODEBUG "
+$     WRITE SYS$OUTPUT "Example: @MAKEVMS.COM ALL """" NODEBUG "
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "The Target ",P1," Is Invalid.  The Valid Target Options Are:"
 $     WRITE SYS$OUTPUT ""
@@ -944,8 +1021,8 @@ $     WRITE SYS$OUTPUT "    ENGINES  :  To Build Just The ENGINES"
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT " Where 'xxx' Stands For:"
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "    ALPHA    :  Alpha Architecture."
-$     WRITE SYS$OUTPUT "    IA64     :  IA64 Architecture."
+$     WRITE SYS$OUTPUT "    ALPHA[64]:  Alpha Architecture."
+$     WRITE SYS$OUTPUT "    IA64[64] :  IA64 Architecture."
 $     WRITE SYS$OUTPUT "    VAX      :  VAX Architecture."
 $     WRITE SYS$OUTPUT ""
 $!
@@ -961,6 +1038,54 @@ $! End The P1 Check.
 $!
 $ ENDIF
 $!
+$! Check P2 (POINTER_SIZE).
+$!
+$ IF (P2 .NES. "") .AND. (ARCH .NES. "VAX")
+$ THEN
+$!
+$   IF (P2 .EQS. "32")
+$   THEN
+$     POINTER_SIZE = "32"
+$   ELSE
+$     POINTER_SIZE = F$EDIT( P2, "COLLAPSE, UPCASE")
+$     IF ((POINTER_SIZE .EQS. "64") .OR. -
+       (POINTER_SIZE .EQS. "64=") .OR. -
+       (POINTER_SIZE .EQS. "64=ARGV"))
+$     THEN
+$       ARCHD = ARCH+ "_64"
+$       LIB32 = ""
+$     ELSE
+$!
+$!      Tell The User Entered An Invalid Option.
+$!
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "The Option ", P2, -
+         " Is Invalid.  The Valid Options Are:"
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT -
+         "    """"       :  Compile with default (short) pointers."
+$       WRITE SYS$OUTPUT -
+         "    32       :  Compile with 32-bit (short) pointers."
+$       WRITE SYS$OUTPUT -
+         "    64       :  Compile with 64-bit (long) pointers (auto ARGV)."
+$       WRITE SYS$OUTPUT -
+         "    64=      :  Compile with 64-bit (long) pointers (no ARGV)."
+$       WRITE SYS$OUTPUT -
+         "    64=ARGV  :  Compile with 64-bit (long) pointers (ARGV)."
+$       WRITE SYS$OUTPUT ""
+$! 
+$!      Time To EXIT.
+$!
+$       GOTO TIDY
+$!
+$     ENDIF
+$!
+$   ENDIF
+$!
+$! End The P2 (POINTER_SIZE) Check.
+$!
+$ ENDIF
+$!
 $! Check To See If P3 Is Blank.
 $!
 $ IF (P3.EQS."NODEBUG")
@@ -987,7 +1112,7 @@ $!  Else...
 $!
 $   ELSE
 $!
-$!    Tell The User Entered An Invalid Option..
+$!    Tell The User Entered An Invalid Option.
 $!
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
@@ -1066,7 +1191,7 @@ $! Else...
 $!
 $ ELSE
 $!
-$!  Check To See If The User Entered A Valid Paramter.
+$!  Check To See If The User Entered A Valid Parameter.
 $!
 $   IF (P4.EQS."VAXC").OR.(P4.EQS."DECC").OR.(P4.EQS."GNUC")!.OR.(P4.EQS."LINK")
 $   THEN
@@ -1165,7 +1290,8 @@ $! End The P4 Check.
 $!
 $ ENDIF
 $!
-$! Time to check the contents of P5, and to make sure we get the correct library.
+$! Time to check the contents of P5, and to make sure we get the correct
+$! library.
 $!
 $ IF P5.EQS."SOCKETSHR" .OR. P5.EQS."MULTINET" .OR. P5.EQS."UCX" -
      .OR. P5.EQS."TCPIP" .OR. P5.EQS."NONE"
@@ -1178,7 +1304,7 @@ $   THEN
 $!
 $!    Set the library to use SOCKETSHR
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT/OPT"
+$     TCPIP_LIB = "SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT /OPTIONS"
 $!
 $!    Tell the user
 $!
@@ -1212,7 +1338,7 @@ $   THEN
 $!
 $!    Set the library to use UCX.
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT/OPT"
+$     TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT /OPTIONS"
 $!
 $!    Tell the user
 $!
@@ -1229,7 +1355,7 @@ $   THEN
 $!
 $!    Set the library to use TCPIP (post UCX).
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT/OPT"
+$     TCPIP_LIB = "SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT /OPTIONS"
 $!
 $!    Tell the user
 $!
@@ -1339,11 +1465,69 @@ $! End The P6 Check.
 $!
 $ ENDIF
 $!
+$!
+$! Check To See If We Have A ZLIB Option.
+$!
+$ ZLIB = P7
+$ IF (ZLIB .NES. "")
+$ THEN
+$!
+$!  Check for expected ZLIB files.
+$!
+$   err = 0
+$   file1 = f$parse( "zlib.h", ZLIB, , , "SYNTAX_ONLY")
+$   if (f$search( file1) .eqs. "")
+$   then
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ", ZLIB, " Is Invalid."
+$     WRITE SYS$OUTPUT "    Can't find header: ''file1'"
+$     err = 1
+$   endif
+$!
+$   file2 = f$parse( ZLIB, "libz.olb", , , "SYNTAX_ONLY")
+$   if (f$search( file2) .eqs. "")
+$   then
+$     if (err .eq. 0)
+$     then
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "The Option ", ZLIB, " Is Invalid."
+$     endif
+$     WRITE SYS$OUTPUT "    Can't find library: ''file2'"
+$     WRITE SYS$OUTPUT ""
+$     err = err+ 2
+$   endif
+$   if (err .eq. 1)
+$   then
+$     WRITE SYS$OUTPUT ""
+$   endif
+$!
+$   if (err .ne. 0)
+$   then
+$     GOTO TIDY
+$   endif
+$!
+$!  Print info
+$!
+$   WRITE SYS$OUTPUT "ZLIB library spec: ", file2
+$!
+$! End The ZLIB Check.
+$!
+$ ENDIF
+$!
 $!  Time To RETURN...
 $!
 $ RETURN
 $!
 $ TIDY:
+$!
+$! Close any open files.
+$!
+$ if (f$trnlnm( "h_file", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
+   close h_file
+$!
+$! Restore the original default device:[directory].
+$!
 $ SET DEFAULT 'DEF_ORIG'
+$!
 $ EXIT
 $!
diff --git a/src/lib/libssl/src/ms/uplink.c b/src/lib/libssl/src/ms/uplink.c
index 7b7da08d47..6d59cb1f87 100644
--- a/src/lib/libssl/src/ms/uplink.c
+++ b/src/lib/libssl/src/ms/uplink.c
@@ -40,7 +40,8 @@ void OPENSSL_Uplink (volatile void **table, int index)
      * should be sufficient [it prohibits compiler to reorder memory
      * access instructions]. */
     do {
-	len = _stprintf (msg,_T("OPENSSL_Uplink(%p,%02X): "),table,index);
+	len = _sntprintf (msg,sizeof(msg)/sizeof(TCHAR),
+			  _T("OPENSSL_Uplink(%p,%02X): "),table,index);
 	_tcscpy (msg+len,_T("unimplemented function"));
 
 	if ((h=apphandle)==NULL)
diff --git a/src/lib/libssl/src/openssl.spec b/src/lib/libssl/src/openssl.spec
index bed337b638..e4db875539 100644
--- a/src/lib/libssl/src/openssl.spec
+++ b/src/lib/libssl/src/openssl.spec
@@ -2,15 +2,15 @@
 %define libmaj 1
 %define libmin 0
 %define librel 0
-%define librev a
+%define librev e
 Release: 1
 
 %define openssldir /var/ssl
 
 Summary: Secure Sockets Layer and cryptography libraries and tools
 Name: openssl
-Version: %{libmaj}.%{libmin}.%{librel}
-#Version: %{libmaj}.%{libmin}.%{librel}%{librev}
+#Version: %{libmaj}.%{libmin}.%{librel}
+Version: %{libmaj}.%{libmin}.%{librel}%{librev}
 Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
 Copyright: Freely distributable
 Group: System Environment/Libraries
diff --git a/src/lib/libssl/src/ssl/bio_ssl.c b/src/lib/libssl/src/ssl/bio_ssl.c
index af319af302..eedac8a3fc 100644
--- a/src/lib/libssl/src/ssl/bio_ssl.c
+++ b/src/lib/libssl/src/ssl/bio_ssl.c
@@ -348,7 +348,11 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
 		break;
 	case BIO_C_SET_SSL:
 		if (ssl != NULL)
+			{
 			ssl_free(b);
+			if (!ssl_new(b))
+				return 0;
+			}
 		b->shutdown=(int)num;
 		ssl=(SSL *)ptr;
 		((BIO_SSL *)b->ptr)->ssl=ssl;
diff --git a/src/lib/libssl/src/ssl/install-ssl.com b/src/lib/libssl/src/ssl/install-ssl.com
new file mode 100755
index 0000000000..1bd6ccaa7a
--- /dev/null
+++ b/src/lib/libssl/src/ssl/install-ssl.com
@@ -0,0 +1,136 @@
+$! INSTALL-SSL.COM -- Installs the files in a given directory tree
+$!
+$! Author: Richard Levitte <richard@levitte.org>
+$! Time of creation: 22-MAY-1998 10:13
+$!
+$! P1  root of the directory tree
+$! P2  "64" for 64-bit pointers.
+$!
+$!
+$! Announce/identify.
+$!
+$ proc = f$environment( "procedure")
+$ write sys$output "@@@ "+ -
+   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
+$!
+$ on error then goto tidy
+$ on control_c then goto tidy
+$!
+$ if p1 .eqs. ""
+$ then
+$   write sys$output "First argument missing."
+$   write sys$output -
+     "It should be the directory where you want things installed."
+$   exit
+$ endif
+$!
+$ if (f$getsyi( "cpu") .lt. 128)
+$ then
+$     arch = "VAX"
+$ else
+$     arch = f$edit( f$getsyi( "arch_name"), "upcase")
+$     if (arch .eqs. "") then arch = "UNK"
+$ endif
+$!
+$ archd = arch
+$ lib32 = "32"
+$ shr = "_SHR32"
+$!
+$ if (p2 .nes. "")
+$ then
+$   if (p2 .eqs. "64")
+$   then
+$     archd = arch+ "_64"
+$     lib32 = ""
+$     shr = "_SHR"
+$   else
+$     if (p2 .nes. "32")
+$     then
+$       write sys$output "Second argument invalid."
+$       write sys$output "It should be "32", "64", or nothing."
+$       exit
+$     endif
+$   endif
+$ endif
+$!
+$ root = f$parse( p1, "[]A.;0", , , "syntax_only, no_conceal") - "A.;0"
+$ root_dev = f$parse(root,,,"device","syntax_only")
+$ root_dir = f$parse(root,,,"directory","syntax_only") - -
+   "[000000." - "][" - "[" - "]"
+$ root = root_dev + "[" + root_dir
+$!
+$ define /nolog wrk_sslroot 'root'.] /trans=conc
+$ define /nolog wrk_sslinclude wrk_sslroot:[include]
+$ define /nolog wrk_sslxexe wrk_sslroot:['archd'_exe]
+$ define /nolog wrk_sslxlib wrk_sslroot:['arch'_lib]
+$!
+$ if f$parse("wrk_sslroot:[000000]") .eqs. "" then -
+   create /directory /log wrk_sslroot:[000000]
+$ if f$parse("wrk_sslinclude:") .eqs. "" then -
+   create /directory /log wrk_sslinclude:
+$ if f$parse("wrk_sslxexe:") .eqs. "" then -
+   create /directory /log wrk_sslxexe:
+$ if f$parse("wrk_sslxlib:") .eqs. "" then -
+   create /directory /log wrk_sslxlib:
+$!
+$ exheader := ssl.h, ssl2.h, ssl3.h, ssl23.h, tls1.h, dtls1.h, kssl.h
+$ e_exe := ssl_task
+$ libs := ssl_libssl
+$!
+$ xexe_dir := [-.'archd'.exe.ssl]
+$!
+$ copy /protection = w:re 'exheader' wrk_sslinclude: /log
+$!
+$ i = 0
+$ loop_exe:
+$   e = f$edit( f$element( i, ",", e_exe), "trim")
+$   i = i + 1
+$   if e .eqs. "," then goto loop_exe_end
+$   set noon
+$   file = xexe_dir+ e+ ".exe"
+$   if f$search( file) .nes. ""
+$   then
+$     copy /protection = w:re 'file' wrk_sslxexe: /log
+$   endif
+$   set on
+$ goto loop_exe
+$ loop_exe_end:
+$!
+$ i = 0
+$ loop_lib: 
+$   e = f$edit(f$element(i, ",", libs),"trim")
+$   i = i + 1
+$   if e .eqs. "," then goto loop_lib_end
+$   set noon
+$! Object library.
+$   file = xexe_dir+ e+ lib32+ ".olb"
+$   if f$search( file) .nes. ""
+$   then
+$     copy /protection = w:re 'file' wrk_sslxlib: /log
+$   endif
+$! Shareable image.
+$   file = xexe_dir+ e+ shr+ ".exe"
+$   if f$search( file) .nes. ""
+$   then
+$     copy /protection = w:re 'file' wrk_sslxlib: /log
+$   endif
+$   set on
+$ goto loop_lib
+$ loop_lib_end:
+$!
+$ tidy:
+$!
+$ call deass wrk_sslroot
+$ call deass wrk_sslinclude
+$ call deass wrk_sslxexe
+$ call deass wrk_sslxlib
+$!
+$ exit
+$!
+$ deass: subroutine
+$ if (f$trnlnm( p1, "LNM$PROCESS") .nes. "")
+$ then
+$   deassign /process 'p1'
+$ endif
+$ endsubroutine
+$!
diff --git a/src/lib/libssl/src/ssl/s23_lib.c b/src/lib/libssl/src/ssl/s23_lib.c
index e3fce53430..3bf728318a 100644
--- a/src/lib/libssl/src/ssl/s23_lib.c
+++ b/src/lib/libssl/src/ssl/s23_lib.c
@@ -92,15 +92,8 @@ const SSL_CIPHER *ssl23_get_cipher(unsigned int u)
  * available */
 const SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p)
 	{
-	SSL_CIPHER c;
 	const SSL_CIPHER *cp;
-	unsigned long id;
-	int n;
 
-	n=ssl3_num_ciphers();
-	id=0x03000000|((unsigned long)p[0]<<16L)|
-		((unsigned long)p[1]<<8L)|(unsigned long)p[2];
-	c.id=id;
 	cp=ssl3_get_cipher_by_char(p);
 #ifndef OPENSSL_NO_SSL2
 	if (cp == NULL)
diff --git a/src/lib/libssl/src/ssl/s2_srvr.c b/src/lib/libssl/src/ssl/s2_srvr.c
index 1434e734dd..bc885e8e7f 100644
--- a/src/lib/libssl/src/ssl/s2_srvr.c
+++ b/src/lib/libssl/src/ssl/s2_srvr.c
@@ -403,13 +403,14 @@ static int get_client_master_key(SSL *s)
 		p+=3;
 		n2s(p,i); s->s2->tmp.clear=i;
 		n2s(p,i); s->s2->tmp.enc=i;
-		n2s(p,i); s->session->key_arg_length=i;
-		if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH)
+		n2s(p,i);
+		if(i > SSL_MAX_KEY_ARG_LENGTH)
 			{
 			ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
 			SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_KEY_ARG_TOO_LONG);
 			return -1;
 			}
+		s->session->key_arg_length=i;
 		s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B;
 		}
 
@@ -697,7 +698,6 @@ static int server_hello(SSL *s)
 	{
 	unsigned char *p,*d;
 	int n,hit;
-	STACK_OF(SSL_CIPHER) *sk;
 
 	p=(unsigned char *)s->init_buf->data;
 	if (s->state == SSL2_ST_SEND_SERVER_HELLO_A)
@@ -778,7 +778,6 @@ static int server_hello(SSL *s)
 			
 			/* lets send out the ciphers we like in the
 			 * prefered order */
-			sk= s->session->ciphers;
 			n=ssl_cipher_list_to_bytes(s,s->session->ciphers,d,0);
 			d+=n;
 			s2n(n,p);		/* add cipher length */
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 41769febab..50bd415b56 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -866,8 +866,11 @@ int ssl3_get_server_hello(SSL *s)
 		s->session->cipher_id = s->session->cipher->id;
 	if (s->hit && (s->session->cipher_id != c->id))
 		{
+/* Workaround is now obsolete */
+#if 0
 		if (!(s->options &
 			SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
+#endif
 			{
 			al=SSL_AD_ILLEGAL_PARAMETER;
 			SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
@@ -1508,6 +1511,7 @@ int ssl3_get_key_exchange(SSL *s)
 		s->session->sess_cert->peer_ecdh_tmp=ecdh;
 		ecdh=NULL;
 		BN_CTX_free(bn_ctx);
+		bn_ctx = NULL;
 		EC_POINT_free(srvr_ecpoint);
 		srvr_ecpoint = NULL;
 		}
@@ -2239,6 +2243,7 @@ int ssl3_send_client_key_exchange(SSL *s)
 			if (!DH_generate_key(dh_clnt))
 				{
 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+				DH_free(dh_clnt);
 				goto err;
 				}
 
@@ -2250,6 +2255,7 @@ int ssl3_send_client_key_exchange(SSL *s)
 			if (n <= 0)
 				{
 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+				DH_free(dh_clnt);
 				goto err;
 				}
 
diff --git a/src/lib/libssl/src/ssl/s3_enc.c b/src/lib/libssl/src/ssl/s3_enc.c
index 3d7aec97a2..58386e1ba0 100644
--- a/src/lib/libssl/src/ssl/s3_enc.c
+++ b/src/lib/libssl/src/ssl/s3_enc.c
@@ -214,7 +214,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
 
 int ssl3_change_cipher_state(SSL *s, int which)
 	{
-	unsigned char *p,*key_block,*mac_secret;
+	unsigned char *p,*mac_secret;
 	unsigned char exp_key[EVP_MAX_KEY_LENGTH];
 	unsigned char exp_iv[EVP_MAX_IV_LENGTH];
 	unsigned char *ms,*key,*iv,*er1,*er2;
@@ -239,7 +239,6 @@ int ssl3_change_cipher_state(SSL *s, int which)
 	else
 		comp=s->s3->tmp.new_compression->method;
 #endif
-	key_block=s->s3->tmp.key_block;
 
 	if (which & SSL3_CC_READ)
 		{
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index d6b047c995..62c791cb72 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -2198,11 +2198,17 @@ void ssl3_clear(SSL *s)
 		}
 #ifndef OPENSSL_NO_DH
 	if (s->s3->tmp.dh != NULL)
+		{
 		DH_free(s->s3->tmp.dh);
+		s->s3->tmp.dh = NULL;
+		}
 #endif
 #ifndef OPENSSL_NO_ECDH
 	if (s->s3->tmp.ecdh != NULL)
+		{
 		EC_KEY_free(s->s3->tmp.ecdh);
+		s->s3->tmp.ecdh = NULL;
+		}
 #endif
 
 	rp = s->s3->rbuf.buf;
diff --git a/src/lib/libssl/src/ssl/s3_pkt.c b/src/lib/libssl/src/ssl/s3_pkt.c
index e3f6050a26..f9b3629cf7 100644
--- a/src/lib/libssl/src/ssl/s3_pkt.c
+++ b/src/lib/libssl/src/ssl/s3_pkt.c
@@ -246,7 +246,8 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
 		if (i <= 0)
 			{
 			rb->left = left;
-			if (s->mode & SSL_MODE_RELEASE_BUFFERS)
+			if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
+			    SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
 				if (len+left == 0)
 					ssl3_release_read_buffer(s);
 			return(i);
@@ -846,7 +847,8 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
 			{
 			wb->left=0;
 			wb->offset+=i;
-			if (s->mode & SSL_MODE_RELEASE_BUFFERS)
+			if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
+			    SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
 				ssl3_release_write_buffer(s);
 			s->rwstate=SSL_NOTHING;
 			return(s->s3->wpend_ret);
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 92f73b6681..c3b5ff33ff 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -768,15 +768,20 @@ int ssl3_check_client_hello(SSL *s)
 	if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
 		{
 		/* Throw away what we have done so far in the current handshake,
-		 * which will now be aborted. (A full SSL_clear would be too much.)
-		 * I hope that tmp.dh is the only thing that may need to be cleared
-		 * when a handshake is not completed ... */
+		 * which will now be aborted. (A full SSL_clear would be too much.) */
 #ifndef OPENSSL_NO_DH
 		if (s->s3->tmp.dh != NULL)
 			{
 			DH_free(s->s3->tmp.dh);
 			s->s3->tmp.dh = NULL;
 			}
+#endif
+#ifndef OPENSSL_NO_ECDH
+		if (s->s3->tmp.ecdh != NULL)
+			{
+			EC_KEY_free(s->s3->tmp.ecdh);
+			s->s3->tmp.ecdh = NULL;
+			}
 #endif
 		return 2;
 		}
@@ -985,6 +990,10 @@ int ssl3_get_client_hello(SSL *s)
 				break;
 				}
 			}
+/* Disabled because it can be used in a ciphersuite downgrade
+ * attack: CVE-2010-4180.
+ */
+#if 0
 		if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
 			{
 			/* Special case as client bug workaround: the previously used cipher may
@@ -999,6 +1008,7 @@ int ssl3_get_client_hello(SSL *s)
 				j = 1;
 				}
 			}
+#endif
 		if (j == 0)
 			{
 			/* we need to have the cipher in the cipher
@@ -1486,7 +1496,6 @@ int ssl3_send_server_key_exchange(SSL *s)
 
 			if (s->s3->tmp.dh != NULL)
 				{
-				DH_free(dh);
 				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
 				goto err;
 				}
@@ -1547,7 +1556,6 @@ int ssl3_send_server_key_exchange(SSL *s)
 
 			if (s->s3->tmp.ecdh != NULL)
 				{
-				EC_KEY_free(s->s3->tmp.ecdh); 
 				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
 				goto err;
 				}
@@ -1558,12 +1566,11 @@ int ssl3_send_server_key_exchange(SSL *s)
 				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
 				goto err;
 				}
-			if (!EC_KEY_up_ref(ecdhp))
+			if ((ecdh = EC_KEY_dup(ecdhp)) == NULL)
 				{
 				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
 				goto err;
 				}
-			ecdh = ecdhp;
 
 			s->s3->tmp.ecdh=ecdh;
 			if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
@@ -1726,6 +1733,7 @@ int ssl3_send_server_key_exchange(SSL *s)
 			    (unsigned char *)encodedPoint, 
 			    encodedlen);
 			OPENSSL_free(encodedPoint);
+			encodedPoint = NULL;
 			p += encodedlen;
 			}
 #endif
@@ -2435,6 +2443,12 @@ int ssl3_get_client_key_exchange(SSL *s)
 			/* Get encoded point length */
 			i = *p; 
 			p += 1;
+			if (n != 1 + i)
+				{
+				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+				    ERR_R_EC_LIB);
+				goto err;
+				}
 			if (EC_POINT_oct2point(group, 
 			    clnt_ecpoint, p, i, bn_ctx) == 0)
 				{
@@ -2579,12 +2593,19 @@ int ssl3_get_client_key_exchange(SSL *s)
 			{
 			int ret = 0;
 			EVP_PKEY_CTX *pkey_ctx;
-			EVP_PKEY *client_pub_pkey = NULL;
+			EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
 			unsigned char premaster_secret[32], *start;
-			size_t outlen=32, inlen;			
+			size_t outlen=32, inlen;
+			unsigned long alg_a;
 
 			/* Get our certificate private key*/
-			pkey_ctx = EVP_PKEY_CTX_new(s->cert->key->privatekey,NULL);	
+			alg_a = s->s3->tmp.new_cipher->algorithm_auth;
+			if (alg_a & SSL_aGOST94)
+				pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey;
+			else if (alg_a & SSL_aGOST01)
+				pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
+
+			pkey_ctx = EVP_PKEY_CTX_new(pk,NULL);
 			EVP_PKEY_decrypt_init(pkey_ctx);
 			/* If client certificate is present and is of the same type, maybe
 			 * use it for key exchange.  Don't mind errors from
diff --git a/src/lib/libssl/src/ssl/ssl-lib.com b/src/lib/libssl/src/ssl/ssl-lib.com
index c5ca9e1df7..180f3a2d88 100644
--- a/src/lib/libssl/src/ssl/ssl-lib.com
+++ b/src/lib/libssl/src/ssl/ssl-lib.com
@@ -42,11 +42,33 @@ $!	SOCKETSHR	for SOCKETSHR+NETLIB
 $!
 $!  P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
 $!
+$!  P6, if defined, specifies the C pointer size.  Ignored on VAX.
+$!      ("64=ARGV" gives more efficient code with HP C V7.3 or newer.)
+$!      Supported values are:
+$!
+$!      ""       Compile with default (/NOPOINTER_SIZE)
+$!      32       Compile with /POINTER_SIZE=32 (SHORT)
+$!      64       Compile with /POINTER_SIZE=64[=ARGV] (LONG[=ARGV])
+$!               (Automatically select ARGV if compiler supports it.)
+$!      64=      Compile with /POINTER_SIZE=64 (LONG).
+$!      64=ARGV  Compile with /POINTER_SIZE=64=ARGV (LONG=ARGV).
+$!
+$!  P7, if defined, specifies a directory where ZLIB files (zlib.h,
+$!  libz.olb) may be found.  Optionally, a non-default object library
+$!  name may be included ("dev:[dir]libz_64.olb", for example).
+$!
+$!
+$! Announce/identify.
+$!
+$ proc = f$environment( "procedure")
+$ write sys$output "@@@ "+ -
+   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
 $!
 $! Define A TCP/IP Library That We Will Need To Link To.
 $! (That Is, If We Need To Link To One.)
 $!
 $ TCPIP_LIB = ""
+$ ZLIB_LIB = ""
 $!
 $! Check What Architecture We Are Using.
 $!
@@ -70,17 +92,33 @@ $! End The Architecture Check.
 $!
 $ ENDIF
 $!
-$! Define The OBJ Directory.
+$ ARCHD = ARCH
+$ LIB32 = "32"
+$ OPT_FILE = ""
+$ POINTER_SIZE = ""
 $!
-$ OBJ_DIR := SYS$DISK:[-.'ARCH'.OBJ.SSL]
+$! Check To Make Sure We Have Valid Command Line Parameters.
 $!
-$! Define The EXE Directory.
+$ GOSUB CHECK_OPTIONS
 $!
-$ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.SSL]
+$! Define The OBJ and EXE Directories.
 $!
-$! Check To Make Sure We Have Valid Command Line Parameters.
+$ OBJ_DIR := SYS$DISK:[-.'ARCHD'.OBJ.SSL]
+$ EXE_DIR := SYS$DISK:[-.'ARCHD'.EXE.SSL]
 $!
-$ GOSUB CHECK_OPTIONS
+$! Specify the destination directory in any /MAP option.
+$!
+$ if (LINKMAP .eqs. "MAP")
+$ then
+$   LINKMAP = LINKMAP+ "=''EXE_DIR'"
+$ endif
+$!
+$! Add the location prefix to the linker options file name.
+$!
+$ if (OPT_FILE .nes. "")
+$ then
+$   OPT_FILE = EXE_DIR+ OPT_FILE
+$ endif
 $!
 $! Initialise logical names and such
 $!
@@ -88,7 +126,7 @@ $ GOSUB INITIALISE
 $!
 $! Tell The User What Kind of Machine We Run On.
 $!
-$ WRITE SYS$OUTPUT "Compiling On A ",ARCH," Machine."
+$ WRITE SYS$OUTPUT "Host system architecture: ''ARCHD'"
 $!
 $! Check To See If The Architecture Specific OBJ Directory Exists.
 $!
@@ -118,11 +156,15 @@ $ ENDIF
 $!
 $! Define The Library Name.
 $!
-$ SSL_LIB := 'EXE_DIR'LIBSSL.OLB
+$ SSL_LIB := 'EXE_DIR'SSL_LIBSSL'LIB32'.OLB
 $!
 $! Define The CRYPTO-LIB We Are To Use.
 $!
-$ CRYPTO_LIB := SYS$DISK:[-.'ARCH'.EXE.CRYPTO]LIBCRYPTO.OLB
+$ CRYPTO_LIB := SYS$DISK:[-.'ARCHD'.EXE.CRYPTO]SSL_LIBCRYPTO'LIB32'.OLB
+$!
+$! Set up exceptional compilations.
+$!
+$ CC5_SHOWN = 0
 $!
 $! Check To See What We Are To Do.
 $!
@@ -156,7 +198,7 @@ $! Compile The Library.
 $!
 $ LIBRARY:
 $!
-$! Check To See If We Already Have A "[.xxx.EXE.SSL]LIBSSL.OLB" Library...
+$! Check To See If We Already Have A "[.xxx.EXE.SSL]SSL_LIBSSL''LIB32'.OLB" Library...
 $!
 $ IF (F$SEARCH(SSL_LIB).EQS."")
 $ THEN
@@ -182,6 +224,8 @@ $ LIB_SSL = "s2_meth,s2_srvr,s2_clnt,s2_lib,s2_enc,s2_pkt,"+ -
 	    "ssl_asn1,ssl_txt,ssl_algs,"+ -
 	    "bio_ssl,ssl_err,kssl,t1_reneg"
 $!
+$ COMPILEWITH_CC5 = ""
+$!
 $! Tell The User That We Are Compiling The Library.
 $!
 $ WRITE SYS$OUTPUT "Building The ",SSL_LIB," Library."
@@ -295,42 +339,47 @@ $! End The SSL_TASK.C File Check.
 $!
 $ ENDIF
 $!
+$ COMPILEWITH_CC5 = "" !!! ",ssl_task,"
+$!
+$! Tell The User We Are Creating The SSL_TASK.
+$!
 $! Tell The User We Are Creating The SSL_TASK.
 $!
 $ WRITE SYS$OUTPUT "Creating SSL_TASK OSU HTTP SSL Engine."	
 $!
+$!  Tell The User What File We Are Compiling.
+$!
+$ FILE_NAME = "ssl_task"
+$ WRITE SYS$OUTPUT "	",FILE_NAME,".c"
+$!
 $! Compile The File.
 $!
 $ ON ERROR THEN GOTO SSL_TASK_END
-$ CC5/OBJECT='OBJ_DIR'SSL_TASK.OBJ SYS$DISK:[]SSL_TASK.C
 $!
-$! Link The Program.
-$! Check To See If We Are To Link With A Specific TCP/IP Library.
-$!
-$ IF (TCPIP_LIB.NES."")
+$ FILE_NAME0 = ","+ F$ELEMENT(0,".",FILE_NAME)+ ","
+$ IF COMPILEWITH_CC5 - FILE_NAME0 .NES. COMPILEWITH_CC5
 $ THEN
-$!
-$!  Link With TCP/IP Library.
-$!
-$   LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR'SSL_TASK.EXE -
-        'OBJ_DIR'SSL_TASK.OBJ, -
-	'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
-        'TCPIP_LIB','OPT_FILE'/OPTION
-$!
-$! Else...
-$!
+$   if (.not. CC5_SHOWN)
+$   then
+$     CC5_SHOWN = 1
+$     write sys$output "        \Using special rule (5)"
+$     x = "    "+ CC5
+$     write /symbol sys$output x
+$   endif
+$   CC5 /OBJECT='OBJ_DIR''FILE_NAME'.OBJ SYS$DISK:[]'FILE_NAME'.C
 $ ELSE
+$   CC /OBJECT='OBJ_DIR''FILE_NAME'.OBJ SYS$DISK:[]'FILE_NAME'.C
+$ ENDIF
 $!
-$!  Don't Link With TCP/IP Library.
-$!
-$   LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR'SSL_TASK.EXE -
-        'OBJ_DIR'SSL_TASK.OBJ,-
-	'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
-        'OPT_FILE'/OPTION
-$!
-$! End The TCP/IP Library Check.
+$! Link The Program.
 $!
-$ ENDIF
+$ LINK /'DEBUGGER' /'LINKMAP' /'TRACEBACK' /EXE='EXE_DIR'SSL_TASK.EXE -
+   'OBJ_DIR'SSL_TASK.OBJ, -
+   'SSL_LIB'/LIBRARY, -
+   'CRYPTO_LIB'/LIBRARY -
+   'TCPIP_LIB' -
+   'ZLIB_LIB' -
+   ,'OPT_FILE' /OPTIONS
 $!
 $! Time To Return.
 $!
@@ -356,7 +405,7 @@ $!
 $     CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File To Link Agianst 
+! Default System Options File To Link Against 
 ! The Sharable VAX C Runtime Library.
 !
 SYS$SHARE:VAXCRTL.EXE/SHARE
@@ -385,7 +434,7 @@ $!
 $     CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File To Link Agianst 
+! Default System Options File To Link Against 
 ! The Sharable C Runtime Library.
 !
 GNU_CC:[000000]GCCLIB/LIBRARY
@@ -420,7 +469,7 @@ $!
 $       CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File To Link Agianst 
+! Default System Options File To Link Against 
 ! The Sharable DEC C Runtime Library.
 !
 SYS$SHARE:DECC$SHR.EXE/SHARE
@@ -435,7 +484,7 @@ $!
 $       CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File For non-VAX To Link Agianst 
+! Default System Options File For non-VAX To Link Against 
 ! The Sharable C Runtime Library.
 !
 SYS$SHARE:CMA$OPEN_LIB_SHR/SHARE
@@ -548,8 +597,8 @@ $     WRITE SYS$OUTPUT "    SSL_TASK :  To Compile Just The [.xxx.EXE.SSL]SSL_TA
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT " Where 'xxx' Stands For:"
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "    ALPHA    :  Alpha Architecture."
-$     WRITE SYS$OUTPUT "    IA64     :  IA64 Architecture."
+$     WRITE SYS$OUTPUT "    ALPHA[64]:  Alpha Architecture."
+$     WRITE SYS$OUTPUT "    IA64[64] :  IA64 Architecture."
 $     WRITE SYS$OUTPUT "    VAX      :  VAX Architecture."
 $     WRITE SYS$OUTPUT ""
 $!
@@ -570,14 +619,15 @@ $!
 $ IF (P2.EQS."NODEBUG")
 $ THEN
 $!
-$!   P2 Is NODEBUG, So Compile Without Debugger Information.
+$!  P2 Is NODEBUG, So Compile Without Debugger Information.
 $!
-$    DEBUGGER  = "NODEBUG"
-$    TRACEBACK = "NOTRACEBACK" 
-$    GCC_OPTIMIZE = "OPTIMIZE"
-$    CC_OPTIMIZE = "OPTIMIZE"
-$    WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile."
-$    WRITE SYS$OUTPUT "Compiling With Compiler Optimization."
+$   DEBUGGER  = "NODEBUG"
+$   LINKMAP = "NOMAP"
+$   TRACEBACK = "NOTRACEBACK" 
+$   GCC_OPTIMIZE = "OPTIMIZE"
+$   CC_OPTIMIZE = "OPTIMIZE"
+$   WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile."
+$   WRITE SYS$OUTPUT "Compiling With Compiler Optimization."
 $!
 $! Else...
 $!
@@ -591,6 +641,7 @@ $!
 $!    Compile With Debugger Information.
 $!
 $     DEBUGGER  = "DEBUG"
+$     LINKMAP = "MAP"
 $     TRACEBACK = "TRACEBACK"
 $     GCC_OPTIMIZE = "NOOPTIMIZE"
 $     CC_OPTIMIZE = "NOOPTIMIZE"
@@ -598,7 +649,7 @@ $     WRITE SYS$OUTPUT "Debugger Information Will Be Produced During Compile."
 $     WRITE SYS$OUTPUT "Compiling Without Compiler Optimization."
 $   ELSE
 $!
-$!    Tell The User Entered An Invalid Option..
+$!    Tell The User Entered An Invalid Option.
 $!
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
@@ -653,6 +704,59 @@ $! End The P5 Check.
 $!
 $ ENDIF
 $!
+$! Check P6 (POINTER_SIZE).
+$!
+$ IF (P6 .NES. "") .AND. (ARCH .NES. "VAX")
+$ THEN
+$!
+$   IF (P6 .EQS. "32")
+$   THEN
+$     POINTER_SIZE = " /POINTER_SIZE=32"
+$   ELSE
+$     POINTER_SIZE = F$EDIT( P6, "COLLAPSE, UPCASE")
+$     IF ((POINTER_SIZE .EQS. "64") .OR. -
+       (POINTER_SIZE .EQS. "64=") .OR. -
+       (POINTER_SIZE .EQS. "64=ARGV"))
+$     THEN
+$       ARCHD = ARCH+ "_64"
+$       LIB32 = ""
+$       POINTER_SIZE = " /POINTER_SIZE=64"
+$     ELSE
+$!
+$!      Tell The User Entered An Invalid Option.
+$!
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "The Option ", P6, -
+         " Is Invalid.  The Valid Options Are:"
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT -
+         "    """"       :  Compile with default (short) pointers."
+$       WRITE SYS$OUTPUT -
+         "    32       :  Compile with 32-bit (short) pointers."
+$       WRITE SYS$OUTPUT -
+         "    64       :  Compile with 64-bit (long) pointers (auto ARGV)."
+$       WRITE SYS$OUTPUT -
+         "    64=      :  Compile with 64-bit (long) pointers (no ARGV)."
+$       WRITE SYS$OUTPUT -
+         "    64=ARGV  :  Compile with 64-bit (long) pointers (ARGV)."
+$       WRITE SYS$OUTPUT ""
+$! 
+$!      Time To EXIT.
+$!
+$       EXIT
+$!
+$     ENDIF
+$!
+$   ENDIF
+$!
+$! End The P6 (POINTER_SIZE) Check.
+$!
+$ ENDIF
+$!
+$! Set basic C compiler /INCLUDE directories.
+$!
+$ CC_INCLUDES = "SYS$DISK:[-.CRYPTO],SYS$DISK:[-]"
+$!
 $! Check To See If P3 Is Blank.
 $!
 $ IF (P3.EQS."")
@@ -753,11 +857,64 @@ $ CCDEFS = "TCPIP_TYPE_''P4'"
 $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
-$ CCDISABLEWARNINGS = "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
+$ CCDISABLEWARNINGS = "" !!! "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
 $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
 	CCDISABLEWARNINGS = CCDISABLEWARNINGS + "," + USER_CCDISABLEWARNINGS
 $!
-$!  Check To See If The User Entered A Valid Paramter.
+$! Check To See If We Have A ZLIB Option.
+$!
+$ ZLIB = P7
+$ IF (ZLIB .NES. "")
+$ THEN
+$!
+$!  Check for expected ZLIB files.
+$!
+$   err = 0
+$   file1 = f$parse( "zlib.h", ZLIB, , , "SYNTAX_ONLY")
+$   if (f$search( file1) .eqs. "")
+$   then
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ", ZLIB, " Is Invalid."
+$     WRITE SYS$OUTPUT "    Can't find header: ''file1'"
+$     err = 1
+$   endif
+$   file1 = f$parse( "A.;", ZLIB)- "A.;"
+$!
+$   file2 = f$parse( ZLIB, "libz.olb", , , "SYNTAX_ONLY")
+$   if (f$search( file2) .eqs. "")
+$   then
+$     if (err .eq. 0)
+$     then
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "The Option ", ZLIB, " Is Invalid."
+$     endif
+$     WRITE SYS$OUTPUT "    Can't find library: ''file2'"
+$     WRITE SYS$OUTPUT ""
+$     err = err+ 2
+$   endif
+$   if (err .eq. 1)
+$   then
+$     WRITE SYS$OUTPUT ""
+$   endif
+$!
+$   if (err .ne. 0)
+$   then
+$     EXIT
+$   endif
+$!
+$   CCDEFS = """ZLIB=1"", "+ CCDEFS
+$   CC_INCLUDES = CC_INCLUDES+ ", "+ file1
+$   ZLIB_LIB = ", ''file2' /library"
+$!
+$!  Print info
+$!
+$   WRITE SYS$OUTPUT "ZLIB library spec: ", file2
+$!
+$! End The ZLIB Check.
+$!
+$ ENDIF
+$!
+$!  Check To See If The User Entered A Valid Parameter.
 $!
 $ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC")
 $ THEN
@@ -780,13 +937,13 @@ $!
 $     CC = "CC"
 $     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
 	 THEN CC = "CC/DECC"
-$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
-           "/NOLIST/PREFIX=ALL" + -
-	   "/INCLUDE=(SYS$DISK:[-.CRYPTO],SYS$DISK:[-])" + CCEXTRAFLAGS
+$     CC = CC + " /''CC_OPTIMIZE' /''DEBUGGER' /STANDARD=RELAXED"+ -
+       "''POINTER_SIZE' /NOLIST /PREFIX=ALL" + -
+       " /INCLUDE=(''CC_INCLUDES') " + CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
-$     OPT_FILE = "''EXE_DIR'VAX_DECC_OPTIONS.OPT"
+$     OPT_FILE = "VAX_DECC_OPTIONS.OPT"
 $!
 $!  End DECC Check.
 $!
@@ -815,7 +972,7 @@ $	EXIT
 $     ENDIF
 $     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-	   "/INCLUDE=(SYS$DISK:[-.CRYPTO],SYS$DISK:[-])" + CCEXTRAFLAGS
+	   "/INCLUDE=(''CC_INCLUDES')" + CCEXTRAFLAGS
 $     CCDEFS = CCDEFS + ",""VAXC"""
 $!
 $!    Define <sys> As SYS$COMMON:[SYSLIB]
@@ -824,7 +981,7 @@ $     DEFINE/NOLOG SYS SYS$COMMON:[SYSLIB]
 $!
 $!    Define The Linker Options File Name.
 $!
-$     OPT_FILE = "''EXE_DIR'VAX_VAXC_OPTIONS.OPT"
+$     OPT_FILE = "VAX_VAXC_OPTIONS.OPT"
 $!
 $!  End VAXC Check
 $!
@@ -847,11 +1004,11 @@ $!    Use GNU C...
 $!
 $     IF F$TYPE(GCC) .EQS. "" THEN GCC := GCC
 $     CC = GCC+"/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-	   "/INCLUDE=(SYS$DISK:[-.CRYPTO],SYS$DISK:[-])" + CCEXTRAFLAGS
+	   "/INCLUDE=(''CC_INCLUDES')" + CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
-$     OPT_FILE = "''EXE_DIR'VAX_GNUC_OPTIONS.OPT"
+$     OPT_FILE = "VAX_GNUC_OPTIONS.OPT"
 $!
 $!  End The GNU C Check.
 $!
@@ -870,16 +1027,16 @@ $     THEN
 $       CC4DISABLEWARNINGS = "DOLLARID"
 $     ELSE
 $       CC4DISABLEWARNINGS = CCDISABLEWARNINGS + ",DOLLARID"
-$       CCDISABLEWARNINGS = "/WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
+$       CCDISABLEWARNINGS = " /WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
 $     ENDIF
-$     CC4DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))"
+$     CC4DISABLEWARNINGS = " /WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))"
 $   ELSE
 $     CCDISABLEWARNINGS = ""
 $     CC4DISABLEWARNINGS = ""
 $   ENDIF
-$   CC2 = CC + "/DEFINE=(" + CCDEFS + ",_POSIX_C_SOURCE)" + CCDISABLEWARNINGS
-$   CC3 = CC + "/DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS
-$   CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
+$   CC2 = CC + " /DEFINE=(" + CCDEFS + ",_POSIX_C_SOURCE)" + CCDISABLEWARNINGS
+$   CC3 = CC + " /DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS
+$   CC = CC + " /DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
 $   IF COMPILER .EQS. "DECC"
 $   THEN
 $     CC4 = CC - CCDISABLEWARNINGS + CC4DISABLEWARNINGS
@@ -925,7 +1082,7 @@ $   THEN
 $!
 $!    Set the library to use SOCKETSHR
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT/OPT"
+$     TCPIP_LIB = ",SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT /OPTIONS"
 $!
 $!    Done with SOCKETSHR
 $!
@@ -951,13 +1108,13 @@ $   THEN
 $!
 $!    Set the library to use UCX.
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT/OPT"
+$     TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT /OPTIONS"
 $     IF F$TRNLNM("UCX$IPC_SHR") .NES. ""
 $     THEN
-$       TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
+$       TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT /OPTIONS"
 $     ELSE
 $       IF COMPILER .NES. "DECC" .AND. ARCH .EQS. "VAX" THEN -
-	  TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT/OPT"
+	  TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT /OPTIONS"
 $     ENDIF
 $!
 $!    Done with UCX
@@ -971,7 +1128,7 @@ $   THEN
 $!
 $!    Set the library to use TCPIP (post UCX).
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT/OPT"
+$     TCPIP_LIB = ",SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT /OPTIONS"
 $!
 $!    Done with TCPIP
 $!
@@ -992,7 +1149,7 @@ $   ENDIF
 $!
 $!  Print info
 $!
-$   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB
+$   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB- ","
 $!
 $!  Else The User Entered An Invalid Argument.
 $!
diff --git a/src/lib/libssl/src/ssl/ssl_asn1.c b/src/lib/libssl/src/ssl/ssl_asn1.c
index 28709978b5..d7f4c6087e 100644
--- a/src/lib/libssl/src/ssl/ssl_asn1.c
+++ b/src/lib/libssl/src/ssl/ssl_asn1.c
@@ -357,7 +357,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
 SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
 			     long length)
 	{
-	int version,ssl_version=0,i;
+	int ssl_version=0,i;
 	long id;
 	ASN1_INTEGER ai,*aip;
 	ASN1_OCTET_STRING os,*osp;
@@ -371,7 +371,6 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
 
 	ai.data=NULL; ai.length=0;
 	M_ASN1_D2I_get_x(ASN1_INTEGER,aip,d2i_ASN1_INTEGER);
-	version=(int)ASN1_INTEGER_get(aip);
 	if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; }
 
 	/* we don't care about the version right now :-) */
diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c
index bee3507ea1..a8ce186b78 100644
--- a/src/lib/libssl/src/ssl/ssl_ciph.c
+++ b/src/lib/libssl/src/ssl/ssl_ciph.c
@@ -1027,7 +1027,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                 const SSL_CIPHER **ca_list)
 	{
 	unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength;
-	const char *l, *start, *buf;
+	const char *l, *buf;
 	int j, multi, found, rule, retval, ok, buflen;
 	unsigned long cipher_id = 0;
 	char ch;
@@ -1064,7 +1064,6 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 		alg_ssl = 0;
 		algo_strength = 0;
 
-		start=l;
 		for (;;)
 			{
 			ch = *l;
@@ -1456,7 +1455,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 	int is_export,pkl,kl;
 	const char *ver,*exp_str;
 	const char *kx,*au,*enc,*mac;
-	unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl,alg2,alg_s;
+	unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl,alg2;
 #ifdef KSSL_DEBUG
 	static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx/%lx/%lx/%lx/%lx\n";
 #else
@@ -1469,7 +1468,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 	alg_mac = cipher->algorithm_mac;
 	alg_ssl = cipher->algorithm_ssl;
 
-	alg_s=cipher->algo_strength;
 	alg2=cipher->algorithm2;
 
 	is_export=SSL_C_IS_EXPORT(cipher);
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 3157f20eac..46732791fd 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -1833,7 +1833,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 #endif
 	X509 *x = NULL;
 	EVP_PKEY *ecc_pkey = NULL;
-	int signature_nid = 0;
+	int signature_nid = 0, pk_nid = 0, md_nid = 0;
 
 	if (c == NULL) return;
 
@@ -1963,18 +1963,15 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 		    EVP_PKEY_bits(ecc_pkey) : 0;
 		EVP_PKEY_free(ecc_pkey);
 		if ((x->sig_alg) && (x->sig_alg->algorithm))
+			{
 			signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
+			OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
+			}
 #ifndef OPENSSL_NO_ECDH
 		if (ecdh_ok)
 			{
-			const char *sig = OBJ_nid2ln(signature_nid);
-			if (sig == NULL)
-				{
-				ERR_clear_error();
-				sig = "unknown";
-				}
-				
-			if (strstr(sig, "WithRSA"))
+
+			if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa)
 				{
 				mask_k|=SSL_kECDHr;
 				mask_a|=SSL_aECDH;
@@ -1985,7 +1982,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 					}
 				}
 
-			if (signature_nid == NID_ecdsa_with_SHA1)
+			if (pk_nid == NID_X9_62_id_ecPublicKey)
 				{
 				mask_k|=SSL_kECDHe;
 				mask_a|=SSL_aECDH;
@@ -2039,7 +2036,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
 	unsigned long alg_k, alg_a;
 	EVP_PKEY *pkey = NULL;
 	int keysize = 0;
-	int signature_nid = 0;
+	int signature_nid = 0, md_nid = 0, pk_nid = 0;
 
 	alg_k = cs->algorithm_mkey;
 	alg_a = cs->algorithm_auth;
@@ -2057,7 +2054,10 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
 	/* This call populates the ex_flags field correctly */
 	X509_check_purpose(x, -1, 0);
 	if ((x->sig_alg) && (x->sig_alg->algorithm))
+		{
 		signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
+		OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
+		}
 	if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr)
 		{
 		/* key usage, if present, must allow key agreement */
@@ -2069,7 +2069,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
 		if (alg_k & SSL_kECDHe)
 			{
 			/* signature alg must be ECDSA */
-			if (signature_nid != NID_ecdsa_with_SHA1)
+			if (pk_nid != NID_X9_62_id_ecPublicKey)
 				{
 				SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
 				return 0;
@@ -2079,13 +2079,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
 			{
 			/* signature alg must be RSA */
 
-			const char *sig = OBJ_nid2ln(signature_nid);
-			if (sig == NULL)
-				{
-				ERR_clear_error();
-				sig = "unknown";
-				}
-			if (strstr(sig, "WithRSA") == NULL)
+			if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa)
 				{
 				SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
 				return 0;
@@ -2110,23 +2104,12 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
 /* THIS NEEDS CLEANING UP */
 X509 *ssl_get_server_send_cert(SSL *s)
 	{
-	unsigned long alg_k,alg_a,mask_k,mask_a;
+	unsigned long alg_k,alg_a;
 	CERT *c;
-	int i,is_export;
+	int i;
 
 	c=s->cert;
 	ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
-	is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
-	if (is_export)
-		{
-		mask_k = c->export_mask_k;
-		mask_a = c->export_mask_a;
-		}
-	else
-		{
-		mask_k = c->mask_k;
-		mask_a = c->mask_a;
-		}
 	
 	alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
 	alg_a = s->s3->tmp.new_cipher->algorithm_auth;
diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c
index abf214ad7f..0bb4fa43bd 100644
--- a/src/lib/libssl/src/ssl/ssltest.c
+++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -1430,7 +1430,6 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
 	BIO *c_bio=NULL;
 	BIO *s_bio=NULL;
 	int c_r,c_w,s_r,s_w;
-	int c_want,s_want;
 	int i,j;
 	int done=0;
 	int c_write,s_write;
@@ -1465,8 +1464,6 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
 
 	c_r=0; s_r=1;
 	c_w=1; s_w=0;
-	c_want=W_WRITE;
-	s_want=0;
 	c_write=1,s_write=0;
 
 	/* We can always do writes */
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c
index 9719541f2b..793ea43e90 100644
--- a/src/lib/libssl/src/ssl/t1_enc.c
+++ b/src/lib/libssl/src/ssl/t1_enc.c
@@ -157,7 +157,7 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
 			const void *seed5, int seed5_len,
 			unsigned char *out, int olen)
 	{
-	int chunk,n;
+	int chunk;
 	unsigned int j;
 	HMAC_CTX ctx;
 	HMAC_CTX ctx_tmp;
@@ -187,7 +187,6 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
 	if (!HMAC_Final(&ctx,A1,&A1_len))
 		goto err;
 
-	n=0;
 	for (;;)
 		{
 		if (!HMAC_Init_ex(&ctx,NULL,0,NULL,NULL)) /* re-init */
@@ -309,13 +308,13 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km,
 int tls1_change_cipher_state(SSL *s, int which)
 	{
 	static const unsigned char empty[]="";
-	unsigned char *p,*key_block,*mac_secret;
+	unsigned char *p,*mac_secret;
 	unsigned char *exp_label;
 	unsigned char tmp1[EVP_MAX_KEY_LENGTH];
 	unsigned char tmp2[EVP_MAX_KEY_LENGTH];
 	unsigned char iv1[EVP_MAX_IV_LENGTH*2];
 	unsigned char iv2[EVP_MAX_IV_LENGTH*2];
-	unsigned char *ms,*key,*iv,*er1,*er2;
+	unsigned char *ms,*key,*iv;
 	int client_write;
 	EVP_CIPHER_CTX *dd;
 	const EVP_CIPHER *c;
@@ -337,7 +336,6 @@ int tls1_change_cipher_state(SSL *s, int which)
 #ifndef OPENSSL_NO_COMP
 	comp=s->s3->tmp.new_compression;
 #endif
-	key_block=s->s3->tmp.key_block;
 
 #ifdef KSSL_DEBUG
 	printf("tls1_change_cipher_state(which= %d) w/\n", which);
@@ -448,8 +446,6 @@ int tls1_change_cipher_state(SSL *s, int which)
 	               cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
 	/* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
 	k=EVP_CIPHER_iv_length(c);
-	er1= &(s->s3->client_random[0]);
-	er2= &(s->s3->server_random[0]);
 	if (	(which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
 		(which == SSL3_CHANGE_CIPHER_SERVER_READ))
 		{
@@ -880,7 +876,7 @@ int tls1_final_finish_mac(SSL *s,
 int tls1_mac(SSL *ssl, unsigned char *md, int send)
 	{
 	SSL3_RECORD *rec;
-	unsigned char *mac_sec,*seq;
+	unsigned char *seq;
 	EVP_MD_CTX *hash;
 	size_t md_size;
 	int i;
@@ -892,14 +888,12 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
 	if (send)
 		{
 		rec= &(ssl->s3->wrec);
-		mac_sec= &(ssl->s3->write_mac_secret[0]);
 		seq= &(ssl->s3->write_sequence[0]);
 		hash=ssl->write_hash;
 		}
 	else
 		{
 		rec= &(ssl->s3->rrec);
-		mac_sec= &(ssl->s3->read_mac_secret[0]);
 		seq= &(ssl->s3->read_sequence[0]);
 		hash=ssl->read_hash;
 		}
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index e8bc34c111..85371c87b8 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -714,14 +714,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 				switch (servname_type)
 					{
 				case TLSEXT_NAMETYPE_host_name:
-					if (s->session->tlsext_hostname == NULL)
+					if (!s->hit)
 						{
-						if (len > TLSEXT_MAXLEN_host_name || 
-							((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
+						if(s->session->tlsext_hostname)
+							{
+							*al = SSL_AD_DECODE_ERROR;
+							return 0;
+							}
+						if (len > TLSEXT_MAXLEN_host_name)
 							{
 							*al = TLS1_AD_UNRECOGNIZED_NAME;
 							return 0;
 							}
+						if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
+							{
+							*al = TLS1_AD_INTERNAL_ERROR;
+							return 0;
+							}
 						memcpy(s->session->tlsext_hostname, sdata, len);
 						s->session->tlsext_hostname[len]='\0';
 						if (strlen(s->session->tlsext_hostname) != len) {
@@ -734,7 +743,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 
 						}
 					else 
-						s->servername_done = strlen(s->session->tlsext_hostname) == len 
+						s->servername_done = s->session->tlsext_hostname
+							&& strlen(s->session->tlsext_hostname) == len 
 							&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
 					
 					break;
@@ -765,15 +775,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 				*al = TLS1_AD_DECODE_ERROR;
 				return 0;
 				}
-			s->session->tlsext_ecpointformatlist_length = 0;
-			if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
-			if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
+			if (!s->hit)
 				{
-				*al = TLS1_AD_INTERNAL_ERROR;
-				return 0;
+				if(s->session->tlsext_ecpointformatlist)
+					{
+					OPENSSL_free(s->session->tlsext_ecpointformatlist);
+					s->session->tlsext_ecpointformatlist = NULL;
+					}
+				s->session->tlsext_ecpointformatlist_length = 0;
+				if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
+					{
+					*al = TLS1_AD_INTERNAL_ERROR;
+					return 0;
+					}
+				s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
+				memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
 				}
-			s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
-			memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
 #if 0
 			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
 			sdata = s->session->tlsext_ecpointformatlist;
@@ -794,15 +811,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 				*al = TLS1_AD_DECODE_ERROR;
 				return 0;
 				}
-			s->session->tlsext_ellipticcurvelist_length = 0;
-			if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist);
-			if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
+			if (!s->hit)
 				{
-				*al = TLS1_AD_INTERNAL_ERROR;
-				return 0;
+				if(s->session->tlsext_ellipticcurvelist)
+					{
+					*al = TLS1_AD_DECODE_ERROR;
+					return 0;
+					}
+				s->session->tlsext_ellipticcurvelist_length = 0;
+				if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
+					{
+					*al = TLS1_AD_INTERNAL_ERROR;
+					return 0;
+					}
+				s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
+				memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
 				}
-			s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
-			memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
 #if 0
 			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
 			sdata = s->session->tlsext_ellipticcurvelist;
@@ -893,6 +917,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 						}
 					n2s(data, idsize);
 					dsize -= 2 + idsize;
+					size -= 2 + idsize;
 					if (dsize < 0)
 						{
 						*al = SSL_AD_DECODE_ERROR;
@@ -931,9 +956,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 					}
 
 				/* Read in request_extensions */
+				if (size < 2)
+					{
+					*al = SSL_AD_DECODE_ERROR;
+					return 0;
+					}
 				n2s(data,dsize);
 				size -= 2;
-				if (dsize > size) 
+				if (dsize != size)
 					{
 					*al = SSL_AD_DECODE_ERROR;
 					return 0;
@@ -983,9 +1013,9 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 
 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
 	{
+	unsigned short length;
 	unsigned short type;
 	unsigned short size;
-	unsigned short len;  
 	unsigned char *data = *p;
 	int tlsext_servername = 0;
 	int renegotiate_seen = 0;
@@ -993,7 +1023,12 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 	if (data >= (d+n-2))
 		goto ri_check;
 
-	n2s(data,len);
+	n2s(data,length);
+	if (data+length != d+n)
+		{
+		*al = SSL_AD_DECODE_ERROR;
+		return 0;
+		}
 
 	while(data <= (d+n-4))
 		{
@@ -1423,23 +1458,20 @@ int ssl_check_serverhello_tlsext(SSL *s)
 	int al = SSL_AD_UNRECOGNIZED_NAME;
 
 #ifndef OPENSSL_NO_EC
-	/* If we are client and using an elliptic curve cryptography cipher suite, then server
-	 * must return a an EC point formats lists containing uncompressed.
+	/* If we are client and using an elliptic curve cryptography cipher
+	 * suite, then if server returns an EC point formats lists extension
+	 * it must contain uncompressed.
 	 */
 	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
 	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
 	if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
+	    (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
 	    ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
 		{
 		/* we are using an ECC cipher */
 		size_t i;
 		unsigned char *list;
 		int found_uncompressed = 0;
-		if ((s->session->tlsext_ecpointformatlist == NULL) || (s->session->tlsext_ecpointformatlist_length == 0))
-			{
-			SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
-			return -1;
-			}
 		list = s->session->tlsext_ecpointformatlist;
 		for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
 			{
diff --git a/src/lib/libssl/src/test/bctest.com b/src/lib/libssl/src/test/bctest.com
new file mode 100644
index 0000000000..d7e5ec139e
--- /dev/null
+++ b/src/lib/libssl/src/test/bctest.com
@@ -0,0 +1,152 @@
+$!
+$! Check operation of "bc".
+$!
+$! 2010-04-05 SMS.  New.  Based (loosely) on "bctest".
+$!
+$!
+$ tmp_file_name = "tmp.bctest"
+$ failure = ""
+$!
+$! Basic command test.
+$!
+$ on warning then goto bc_fail
+$ bc
+$ on error then exit
+$!
+$! Test for SunOS 5.[78] bc bug.
+$!
+$ if (failure .eqs. "")
+$ then
+$!
+$     define /user_mode sys$output 'tmp_file_name'
+$     bc
+obase=16
+ibase=16
+a=AD88C418F31B3FC712D0425001D522B3AE9134FF3A98C13C1FCC1682211195406C1A6C66C6A\
+CEEC1A0EC16950233F77F1C2F2363D56DD71A36C57E0B2511FC4BA8F22D261FE2E9356D99AF57\
+10F3817C0E05BF79C423C3F66FDF321BE8D3F18F625D91B670931C1EF25F28E489BDA1C5422D1\
+C3F6F7A1AD21585746ECC4F10A14A778AF56F08898E965E9909E965E0CB6F85B514150C644759\
+3BE731877B16EA07B552088FF2EA728AC5E0FF3A23EB939304519AB8B60F2C33D6BA0945B66F0\
+4FC3CADF855448B24A9D7640BCF473E
+b=DCE91E7D120B983EA9A104B5A96D634DD644C37657B1C7860B45E6838999B3DCE5A555583C6\
+9209E41F413422954175A06E67FFEF6746DD652F0F48AEFECC3D8CAC13523BDAAD3F5AF4212BD\
+8B3CD64126E1A82E190228020C05B91C8B141F1110086FC2A4C6ED631EBA129D04BB9A19FC53D\
+3ED0E2017D60A68775B75481449
+(a/b)*b + (a%b) - a
+$     status = $status
+$     output_expected = "0"
+$     gosub check_output
+$     if (output .ne. 1)
+$     then
+$         failure = "SunOStest"
+$     else
+$         delete 'f$parse( tmp_file_name)'
+$     endif
+$ endif
+$!
+$! Test for SCO bc bug.
+$!
+$ if (failure .eqs. "")
+$ then
+$!
+$     define /user_mode sys$output 'tmp_file_name'
+$     bc
+obase=16
+ibase=16
+-FFDD63BA1A4648F0D804F8A1C66C53F0D2110590E8A3907EC73B4AEC6F15AC177F176F2274D2\
+9DC8022EA0D7DD3ABE9746D2D46DD3EA5B5F6F69DF12877E0AC5E7F5ADFACEE54573F5D256A06\
+11B5D2BC24947724E22AE4EC3FB0C39D9B4694A01AFE5E43B4D99FB9812A0E4A5773D8B254117\
+1239157EC6E3D8D50199 * -FFDD63BA1A4648F0D804F8A1C66C53F0D2110590E8A3907EC73B4\
+AEC6F15AC177F176F2274D29DC8022EA0D7DD3ABE9746D2D46DD3EA5B5F6F69DF12877E0AC5E7\
+F5ADFACEE54573F5D256A0611B5D2BC24947724E22AE4EC3FB0C39D9B4694A01AFE5E43B4D99F\
+B9812A0E4A5773D8B2541171239157EC6E3D8D50199 - FFBACC221682DA464B6D7F123482522\
+02EDAEDCA38C3B69E9B7BBCD6165A9CD8716C4903417F23C09A85B851961F92C217258CEEB866\
+85EFCC5DD131853A02C07A873B8E2AF2E40C6D5ED598CD0E8F35AD49F3C3A17FDB7653E4E2DC4\
+A8D23CC34686EE4AD01F7407A7CD74429AC6D36DBF0CB6A3E302D0E5BDFCD048A3B90C1BE5AA8\
+E16C3D5884F9136B43FF7BB443764153D4AEC176C681B078F4CC53D6EB6AB76285537DDEE7C18\
+8C72441B52EDBDDBC77E02D34E513F2AABF92F44109CAFE8242BD0ECBAC5604A94B02EA44D43C\
+04E9476E6FBC48043916BFA1485C6093603600273C9C33F13114D78064AE42F3DC466C7DA543D\
+89C8D71
+AD534AFBED2FA39EE9F40E20FCF9E2C861024DB98DDCBA1CD118C49CA55EEBC20D6BA51B2271C\
+928B693D6A73F67FEB1B4571448588B46194617D25D910C6A9A130CC963155CF34079CB218A44\
+8A1F57E276D92A33386DDCA3D241DB78C8974ABD71DD05B0FA555709C9910D745185E6FE108E3\
+37F1907D0C56F8BFBF52B9704 % -E557905B56B13441574CAFCE2BD257A750B1A8B2C88D0E36\
+E18EF7C38DAC80D3948E17ED63AFF3B3467866E3B89D09A81B3D16B52F6A3C7134D3C6F5123E9\
+F617E3145BBFBE9AFD0D6E437EA4FF6F04BC67C4F1458B4F0F47B64 - 1C2BBBB19B74E86FD32\
+9E8DB6A8C3B1B9986D57ED5419C2E855F7D5469E35E76334BB42F4C43E3F3A31B9697C171DAC4\
+D97935A7E1A14AD209D6CF811F55C6DB83AA9E6DFECFCD6669DED7171EE22A40C6181615CAF3F\
+5296964
+$     status = $status
+$     output_expected = "0\0"
+$     gosub check_output
+$     if (output .ne. 1)
+$     then
+$         failure = "SCOtest"
+$     else
+$         delete 'f$parse( tmp_file_name)'
+$     endif
+$ endif
+$!
+$! Test for working 'print' command.
+$!
+$ if (failure .eqs. "")
+$ then
+$!
+$     define /user_mode sys$output 'tmp_file_name'
+$     bc
+print "OK"
+$     status = $status
+$     output_expected = "OK"
+$     gosub check_output
+$     if (output .ne. 1)
+$     then
+$         failure = "printtest"
+$     else
+$         delete 'f$parse( tmp_file_name)'
+$     endif
+$ endif
+$!
+$ if (failure .nes. "")
+$ then
+$     write sys$output -
+       "No working bc found.  Consider installing GNU bc."
+$     exit %X00030000 ! %DCL-W-NORMAL
+$ endif
+$!
+$ exit
+$!
+$!
+$! Complete "bc" command failure.
+$!
+$ bc_fail:
+$ write sys$output -
+   "No ""bc"" program/symbol found.  Consider installing GNU bc."
+$ exit %X00030000 ! %DCL-W-NORMAL
+$!
+$!
+$! Output check subroutine.
+$!
+$ check_output:
+$     eof = 0
+$     line_nr = 0
+$     open /read tmp_file 'tmp_file_name'
+$     c_o_loop:
+$         read /error = error_read tmp_file line
+$         goto ok_read
+$         error_read:
+$         eof = 1
+$         ok_read:
+$         line_expected = f$element( line_nr, "\", output_expected)
+$         line_nr = line_nr+ 1
+$     if ((line_expected .nes. "\") .and. (.not. eof) .and. -
+       (line_expected .eqs. line)) then goto c_o_loop
+$!
+$     if ((line_expected .eqs. "\") .and. eof)
+$     then
+$         output = 1
+$     else
+$         output = 0
+$     endif
+$     close tmp_file
+$ return
+$!
diff --git a/src/lib/libssl/src/test/bntest.com b/src/lib/libssl/src/test/bntest.com
new file mode 100644
index 0000000000..6545d2e5a5
--- /dev/null
+++ b/src/lib/libssl/src/test/bntest.com
@@ -0,0 +1,76 @@
+$!
+$! Analyze bntest output file.
+$!
+$! Exit status = 1 (success) if all tests passed,
+$!               0 (warning) if any test failed.
+$!
+$! 2011-02-20 SMS.  Added code to skip "#" comments in the input file.
+$!
+$! 2010-04-05 SMS.  New.  Based (loosely) on perl code in bntest-vms.sh.
+$!
+$!                  Expect data like:
+$!                        test test_name1
+$!                        0
+$!                        [...]
+$!                        test test_name2
+$!                        0
+$!                        [...]
+$!                        [...]
+$!
+$!                  Some tests have no following "0" lines.
+$!
+$ result_file_name = f$edit( p1, "TRIM")
+$ if (result_file_name .eqs. "")
+$ then
+$     result_file_name = "bntest-vms.out"
+$ endif
+$!
+$ fail = 0
+$ passed = 0
+$ tests = 0
+$!
+$ on control_c then goto tidy
+$ on error then goto tidy
+$!
+$ open /read result_file 'result_file_name'
+$!
+$ read_loop:
+$     read /end = read_loop_end /error = tidy result_file line
+$     t1 = f$element( 0, " ", line)
+$!
+$!    Skip "#" comment lines.
+$     if (f$extract( 0, 1, f$edit( line, "TRIM")) .eqs. "#") then -
+       goto read_loop
+$!
+$     if (t1 .eqs. "test")
+$     then
+$         passed = passed+ 1
+$         tests = tests+ 1
+$         fail = 1
+$         t2 = f$extract( 5, 1000, line)
+$         write sys$output "verify ''t2'"
+$     else
+$         if (t1 .nes. "0")
+$         then
+$             write sys$output "Failed! bc: ''line'"
+$             passed = passed- fail
+$             fail = 0
+$         endif
+$     endif
+$ goto read_loop
+$ read_loop_end:
+$ write sys$output "''passed'/''tests' tests passed"
+$!
+$ tidy:
+$ if f$trnlnm( "result_file", "LNM$PROCESS_TABLE", , "SUPERVISOR", , "CONFINE")
+$ then
+$     close result_file
+$ endif
+$!
+$ if ((tests .gt. 0) .and. (tests .eq. passed))
+$ then
+$    exit 1
+$ else
+$    exit 0
+$ endif
+$!
diff --git a/src/lib/libssl/src/test/clean_test.com b/src/lib/libssl/src/test/clean_test.com
new file mode 100755
index 0000000000..7df633fbef
--- /dev/null
+++ b/src/lib/libssl/src/test/clean_test.com
@@ -0,0 +1,35 @@
+$!
+$! Delete various test results files.
+$!
+$ def_orig = f$environment( "default")
+$ proc = f$environment( "procedure")
+$ proc_dev_dir = f$parse( "A.;", proc) - "A.;"
+$!
+$ on control_c then goto tidy
+$ on error then goto tidy
+$!
+$ set default 'proc_dev_dir'
+$!
+$ files := *.cms;*, *.srl;*, *.ss;*, -
+   cms.err;*, cms.out;*, newreq.pem;*, -
+   p.txt-zlib-cipher;*, -
+   smtst.txt;*, testkey.pem;*, testreq.pem;*, -
+   test_*.err;*, test_*.out;*, -
+   .rnd;*
+$!
+$ delim = ","
+$ i = 0
+$ loop:
+$    file = f$edit( f$element( i, delim, files), "trim")
+$    if (file .eqs. delim) then goto loop_end
+$    if (f$search( file) .nes. "") then -
+      delete 'p1' 'file'
+$    i = i+ 1
+$ goto loop
+$ loop_end:
+$!
+$ tidy:
+$ 
+$ if (f$type( def_orig) .nes. "") then -
+   set default 'def_orig'
+$!
diff --git a/src/lib/libssl/src/test/maketests.com b/src/lib/libssl/src/test/maketests.com
index ca072f1d11..386e5cf3c1 100644
--- a/src/lib/libssl/src/test/maketests.com
+++ b/src/lib/libssl/src/test/maketests.com
@@ -25,7 +25,7 @@ $!	   VAXC	 For VAX C.
 $!	   DECC	 For DEC C.
 $!	   GNUC	 For GNU C.
 $!
-$!  If you don't speficy a compiler, it will try to determine which
+$!  If you don't specify a compiler, it will try to determine which
 $!  "C" compiler to use.
 $!
 $!  P3, if defined, sets a TCP/IP library to use, through one of the following
@@ -37,46 +37,87 @@ $!
 $!  P4, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
 $!
 $!
+$!  P5, if defined, specifies the C pointer size.  Ignored on VAX.
+$!      ("64=ARGV" gives more efficient code with HP C V7.3 or newer.)
+$!      Supported values are:
+$!
+$!      ""       Compile with default (/NOPOINTER_SIZE)
+$!      32       Compile with /POINTER_SIZE=32 (SHORT)
+$!      64       Compile with /POINTER_SIZE=64[=ARGV] (LONG[=ARGV])
+$!               (Automatically select ARGV if compiler supports it.)
+$!      64=      Compile with /POINTER_SIZE=64 (LONG).
+$!      64=ARGV  Compile with /POINTER_SIZE=64=ARGV (LONG=ARGV).
+$!
+$!  P6, if defined, specifies a directory where ZLIB files (zlib.h,
+$!  libz.olb) may be found.  Optionally, a non-default object library
+$!  name may be included ("dev:[dir]libz_64.olb", for example).
+$!
+$!
+$! Announce/identify.
+$!
+$ proc = f$environment( "procedure")
+$ write sys$output "@@@ "+ -
+   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
+$!
 $! Define A TCP/IP Library That We Will Need To Link To.
-$! (That is, If Wee Need To Link To One.)
+$! (That is, If We Need To Link To One.)
 $!
 $ TCPIP_LIB = ""
+$ ZLIB_LIB = ""
 $!
 $! Check Which Architecture We Are Using.
 $!
-$ if (f$getsyi( "HW_MODEL") .lt. 1024)
+$ if (f$getsyi( "cpu") .lt. 128)
 $ then
-$    arch = "VAX"
+$    ARCH = "VAX"
 $ else
-$    arch = ""
-$    arch = arch+ f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
-$    if (arch .eqs. "") then arch = "UNK"
+$    ARCH = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
+$    if (ARCH .eqs. "") then ARCH = "UNK"
 $ endif
 $!
-$! Define The OBJ and EXE Directories (EXE before CHECK_OPTIONS).
-$!
-$ OBJ_DIR := SYS$DISK:[-.'ARCH'.OBJ.TEST]
-$ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.TEST]
+$ ARCHD = ARCH
+$ LIB32 = "32"
+$ OPT_FILE = ""
+$ POINTER_SIZE = ""
 $!
 $! Check To Make Sure We Have Valid Command Line Parameters.
 $!
 $ GOSUB CHECK_OPTIONS
 $!
+$! Define The OBJ and EXE Directories.
+$!
+$ OBJ_DIR := SYS$DISK:[-.'ARCHD'.OBJ.TEST]
+$ EXE_DIR := SYS$DISK:[-.'ARCHD'.EXE.TEST]
+$!
+$! Specify the destination directory in any /MAP option.
+$!
+$ if (LINKMAP .eqs. "MAP")
+$ then
+$   LINKMAP = LINKMAP+ "=''EXE_DIR'"
+$ endif
+$!
+$! Add the location prefix to the linker options file name.
+$!
+$ if (OPT_FILE .nes. "")
+$ then
+$   OPT_FILE = EXE_DIR+ OPT_FILE
+$ endif
+$!
 $! Initialise logical names and such
 $!
 $ GOSUB INITIALISE
 $!
 $! Tell The User What Kind of Machine We Run On.
 $!
-$ WRITE SYS$OUTPUT "Compiling On ''ARCH'."
+$ WRITE SYS$OUTPUT "Host system architecture: ''ARCHD'"
 $!
 $! Define The CRYPTO-LIB We Are To Use.
 $!
-$ CRYPTO_LIB := SYS$DISK:[-.'ARCH'.EXE.CRYPTO]LIBCRYPTO.OLB
+$ CRYPTO_LIB := SYS$DISK:[-.'ARCHD'.EXE.CRYPTO]SSL_LIBCRYPTO'LIB32'.OLB
 $!
 $! Define The SSL We Are To Use.
 $!
-$ SSL_LIB := SYS$DISK:[-.'ARCH'.EXE.SSL]LIBSSL.OLB
+$ SSL_LIB := SYS$DISK:[-.'ARCHD'.EXE.SSL]SSL_LIBSSL'LIB32'.OLB
 $!
 $! Create the OBJ and EXE Directories, if needed.
 $!
@@ -105,7 +146,7 @@ $ TEST_FILES = "BNTEST,ECTEST,ECDSATEST,ECDHTEST,IDEATEST,"+ -
 	       "MDC2TEST,RMDTEST,"+ -
 	       "RANDTEST,DHTEST,ENGINETEST,"+ -
 	       "BFTEST,CASTTEST,SSLTEST,EXPTEST,DSATEST,RSA_TEST,"+ -
-	       "EVP_TEST,JPAKETEST"
+	       "EVP_TEST,IGETEST,JPAKETEST,ASN1TEST"
 $! Should we add MTTEST,PQ_TEST,LH_TEST,DIVTEST,TABTEST as well?
 $!
 $! Additional directory information.
@@ -139,8 +180,9 @@ $ T_D_EXPTEST    := [-.crypto.bn]
 $ T_D_DSATEST    := [-.crypto.dsa]
 $ T_D_RSA_TEST   := [-.crypto.rsa]
 $ T_D_EVP_TEST   := [-.crypto.evp]
-$ T_D_JPAKETEST  := [-.crypto.jpake]
 $ T_D_IGETEST    := [-.test]
+$ T_D_JPAKETEST  := [-.crypto.jpake]
+$ T_D_ASN1TEST   := [-.test]
 $!
 $ TCPIP_PROGRAMS = ",,"
 $ IF COMPILER .EQS. "VAXC" THEN -
@@ -223,33 +265,15 @@ $!
 $! Link The Program, Check To See If We Need To Link With RSAREF Or Not.
 $! Check To See If We Are To Link With A Specific TCP/IP Library.
 $!
-$ IF (TCPIP_LIB.NES."")
-$ THEN
-$!
 $!  Don't Link With The RSAREF Routines And TCP/IP Library.
 $!
-$   LINK /'DEBUGGER' /'TRACEBACK' /EXECTABLE = 'EXE_FILE' -
-	'OBJECT_FILE', -
-	'SSL_LIB' /LIBRARY, -
-	'CRYPTO_LIB' /LIBRARY, -
-	'TCPIP_LIB', -
-	'OPT_FILE' /OPTIONS
-$!
-$! Else...
-$!
-$ ELSE
-$!
-$!  Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
-$!
-$   LINK /'DEBUGGER' /'TRACEBACK' /EXECUTABLE = 'EXE_FILE' -
-	'OBJECT_FILE', -
-	'SSL_LIB' /LIBRARY, -
-	'CRYPTO_LIB' /LIBRARY, -
-	'OPT_FILE' /OPTIONS
-$!
-$! End The TCP/IP Library Check.
-$!
-$ ENDIF
+$ LINK /'DEBUGGER' /'LINKMAP' /'TRACEBACK' /EXECTABLE = 'EXE_FILE' -
+   'OBJECT_FILE', -
+   'SSL_LIB' /LIBRARY, -
+   'CRYPTO_LIB' /LIBRARY -
+   'TCPIP_LIB' -
+   'ZLIB_LIB' -
+   ,'OPT_FILE' /OPTIONS
 $!
 $! Go Back And Do It Again.
 $!
@@ -313,7 +337,7 @@ $!
 $     CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File To Link Agianst 
+! Default System Options File To Link Against 
 ! The Sharable C Runtime Library.
 !
 GNU_CC:[000000]GCCLIB.OLB /LIBRARY
@@ -348,7 +372,7 @@ $!
 $       CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File To Link Agianst 
+! Default System Options File To Link Against 
 ! The Sharable DEC C Runtime Library.
 !
 SYS$SHARE:DECC$SHR.EXE /SHAREABLE
@@ -363,7 +387,7 @@ $!
 $       CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File For non-VAX To Link Agianst 
+! Default System Options File For non-VAX To Link Against 
 ! The Sharable C Runtime Library.
 !
 SYS$SHARE:CMA$OPEN_LIB_SHR.EXE /SHAREABLE
@@ -442,19 +466,24 @@ $! Check The User's Options.
 $!
 $ CHECK_OPTIONS:
 $!
+$! Set basic C compiler /INCLUDE directories.
+$!
+$ CC_INCLUDES = "SYS$DISK:[-],SYS$DISK:[-.CRYPTO]"
+$!
 $! Check To See If P1 Is Blank.
 $!
 $ IF (P1.EQS."NODEBUG")
 $ THEN
 $!
-$!   P1 Is NODEBUG, So Compile Without Debugger Information.
+$!  P1 Is NODEBUG, So Compile Without Debugger Information.
 $!
-$    DEBUGGER  = "NODEBUG"
-$    TRACEBACK = "NOTRACEBACK" 
-$    GCC_OPTIMIZE = "OPTIMIZE"
-$    CC_OPTIMIZE = "OPTIMIZE"
-$    WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile."
-$    WRITE SYS$OUTPUT "Compiling With Compiler Optimization."
+$   DEBUGGER  = "NODEBUG"
+$   LINKMAP = "NOMAP"
+$   TRACEBACK = "NOTRACEBACK" 
+$   GCC_OPTIMIZE = "OPTIMIZE"
+$   CC_OPTIMIZE = "OPTIMIZE"
+$   WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile."
+$   WRITE SYS$OUTPUT "Compiling With Compiler Optimization."
 $!
 $! Else...
 $!
@@ -468,6 +497,7 @@ $!
 $!    Compile With Debugger Information.
 $!
 $     DEBUGGER  = "DEBUG"
+$     LINKMAP = "MAP"
 $     TRACEBACK = "TRACEBACK"
 $     GCC_OPTIMIZE = "NOOPTIMIZE"
 $     CC_OPTIMIZE = "NOOPTIMIZE"
@@ -478,7 +508,7 @@ $!  Else...
 $!
 $   ELSE
 $!
-$!    Tell The User Entered An Invalid Option..
+$!    Tell The User Entered An Invalid Option.
 $!
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
@@ -491,11 +521,87 @@ $!    Time To EXIT.
 $!
 $     EXIT
 $!
-$!  End The Valid Arguement Check.
+$!  End The Valid Argument Check.
+$!
+$   ENDIF
+$!
+$! End The P1 Check.
+$!
+$ ENDIF
+$!
+$! Check P5 (POINTER_SIZE).
+$!
+$ IF (P5 .NES. "") .AND. (ARCH .NES. "VAX")
+$ THEN
+$!
+$   IF (P5 .EQS. "32")
+$   THEN
+$     POINTER_SIZE = " /POINTER_SIZE=32"
+$   ELSE
+$     POINTER_SIZE = F$EDIT( P5, "COLLAPSE, UPCASE")
+$     IF ((POINTER_SIZE .EQS. "64") .OR. -
+       (POINTER_SIZE .EQS. "64=") .OR. -
+       (POINTER_SIZE .EQS. "64=ARGV"))
+$     THEN
+$       ARCHD = ARCH+ "_64"
+$       LIB32 = ""
+$       IF (F$EXTRACT( 2, 1, POINTER_SIZE) .EQS. "=")
+$       THEN
+$!        Explicit user choice: "64" or "64=ARGV".
+$         IF (POINTER_SIZE .EQS. "64=") THEN POINTER_SIZE = "64"
+$       ELSE
+$         SET NOON
+$         DEFINE /USER_MODE SYS$OUTPUT NL:
+$         DEFINE /USER_MODE SYS$ERROR NL:
+$         CC /NOLIST /NOOBJECT /POINTER_SIZE=64=ARGV NL:
+$         IF ($STATUS .AND. %X0FFF0000) .EQ. %X00030000
+$         THEN
+$           ! If we got here, it means DCL complained like this:
+$           ! %DCL-W-NOVALU, value not allowed - remove value specification
+$           !  \64=\
+$           !
+$           ! If the compiler was run, logicals defined in /USER would
+$           ! have been deassigned automatically.  However, when DCL
+$           ! complains, they aren't, so we do it here (it might be
+$           ! unnecessary, but just in case there will be another error
+$           ! message further on that we don't want to miss)
+$           DEASSIGN /USER_MODE SYS$ERROR
+$           DEASSIGN /USER_MODE SYS$OUTPUT
+$         ELSE
+$           POINTER_SIZE = POINTER_SIZE + "=ARGV"
+$         ENDIF
+$         SET ON
+$       ENDIF
+$       POINTER_SIZE = " /POINTER_SIZE=''POINTER_SIZE'"
+$     ELSE
+$!
+$!      Tell The User Entered An Invalid Option.
+$!
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "The Option ", P5, -
+         " Is Invalid.  The Valid Options Are:"
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT -
+         "    """"  :  Compile with default (short) pointers."
+$       WRITE SYS$OUTPUT -
+         "    32  :  Compile with 32-bit (short) pointers."
+$       WRITE SYS$OUTPUT -
+         "    64       :  Compile with 64-bit (long) pointers (auto ARGV)."
+$       WRITE SYS$OUTPUT -
+         "    64=      :  Compile with 64-bit (long) pointers (no ARGV)."
+$       WRITE SYS$OUTPUT -
+         "    64=ARGV  :  Compile with 64-bit (long) pointers (ARGV)."
+$       WRITE SYS$OUTPUT ""
+$! 
+$!      Time To EXIT.
+$!
+$       EXIT
+$!
+$     ENDIF
 $!
 $   ENDIF
 $!
-$! End The P2 Check.
+$! End The P5 (POINTER_SIZE) Check.
 $!
 $ ENDIF
 $!
@@ -599,11 +705,64 @@ $ CCDEFS = "TCPIP_TYPE_''P3'"
 $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
-$ CCDISABLEWARNINGS = "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
+$ CCDISABLEWARNINGS = "" !!! "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
 $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
 	CCDISABLEWARNINGS = CCDISABLEWARNINGS + "," + USER_CCDISABLEWARNINGS
 $!
-$!  Check To See If The User Entered A Valid Paramter.
+$! Check To See If We Have A ZLIB Option.
+$!
+$ ZLIB = P6
+$ IF (ZLIB .NES. "")
+$ THEN
+$!
+$!  Check for expected ZLIB files.
+$!
+$   err = 0
+$   file1 = f$parse( "zlib.h", ZLIB, , , "SYNTAX_ONLY")
+$   if (f$search( file1) .eqs. "")
+$   then
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ", ZLIB, " Is Invalid."
+$     WRITE SYS$OUTPUT "    Can't find header: ''file1'"
+$     err = 1
+$   endif
+$   file1 = f$parse( "A.;", ZLIB)- "A.;"
+$!
+$   file2 = f$parse( ZLIB, "libz.olb", , , "SYNTAX_ONLY")
+$   if (f$search( file2) .eqs. "")
+$   then
+$     if (err .eq. 0)
+$     then
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "The Option ", ZLIB, " Is Invalid."
+$     endif
+$     WRITE SYS$OUTPUT "    Can't find library: ''file2'"
+$     WRITE SYS$OUTPUT ""
+$     err = err+ 2
+$   endif
+$   if (err .eq. 1)
+$   then
+$     WRITE SYS$OUTPUT ""
+$   endif
+$!
+$   if (err .ne. 0)
+$   then
+$     GOTO EXIT
+$   endif
+$!
+$   CCDEFS = """ZLIB=1"", "+ CCDEFS
+$   CC_INCLUDES = CC_INCLUDES+ ", "+ file1
+$   ZLIB_LIB = ", ''file2' /library"
+$!
+$!  Print info
+$!
+$   WRITE SYS$OUTPUT "ZLIB library spec: ", file2
+$!
+$! End The P8 Check.
+$!
+$ ENDIF
+$!
+$!  Check To See If The User Entered A Valid Parameter.
 $!
 $ IF (P2.EQS."VAXC").OR.(P2.EQS."DECC").OR.(P2.EQS."GNUC")
 $ THEN
@@ -626,13 +785,13 @@ $!
 $     CC = "CC"
 $     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
 	 THEN CC = "CC /DECC"
-$     CC = CC + "/''CC_OPTIMIZE' /''DEBUGGER' /STANDARD=ANSI89" + -
-           "/NOLIST /PREFIX=ALL" + -
-	   "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
+$     CC = CC + " /''CC_OPTIMIZE' /''DEBUGGER' /STANDARD=RELAXED"+ -
+       "''POINTER_SIZE' /NOLIST /PREFIX=ALL" + -
+       " /INCLUDE=(''CC_INCLUDES') " + CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
-$     OPT_FILE = "''EXE_DIR'VAX_DECC_OPTIONS.OPT"
+$     OPT_FILE = "VAX_DECC_OPTIONS.OPT"
 $!
 $!  End DECC Check.
 $!
@@ -661,7 +820,7 @@ $	EXIT
 $     ENDIF
 $     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC /VAXC"
 $     CC = CC + "/''CC_OPTIMIZE' /''DEBUGGER' /NOLIST" + -
-	   "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
+	   "/INCLUDE=(''CC_INCLUDES')" + CCEXTRAFLAGS
 $     CCDEFS = CCDEFS + ",""VAXC"""
 $!
 $!    Define <sys> As SYS$COMMON:[SYSLIB]
@@ -670,7 +829,7 @@ $     DEFINE /NOLOG SYS SYS$COMMON:[SYSLIB]
 $!
 $!    Define The Linker Options File Name.
 $!
-$     OPT_FILE = "''EXE_DIR'VAX_VAXC_OPTIONS.OPT"
+$     OPT_FILE = "VAX_VAXC_OPTIONS.OPT"
 $!
 $!  End VAXC Check
 $!
@@ -692,11 +851,11 @@ $!
 $!    Use GNU C...
 $!
 $     CC = "GCC /NOCASE_HACK /''GCC_OPTIMIZE' /''DEBUGGER' /NOLIST" + -
-	   "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
+	   "/INCLUDE=(''CC_INCLUDES')" + CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
-$     OPT_FILE = "''EXE_DIR'VAX_GNUC_OPTIONS.OPT"
+$     OPT_FILE = "VAX_GNUC_OPTIONS.OPT"
 $!
 $!  End The GNU C Check.
 $!
@@ -715,20 +874,20 @@ $     THEN
 $       CC4DISABLEWARNINGS = "DOLLARID"
 $     ELSE
 $       CC4DISABLEWARNINGS = CCDISABLEWARNINGS + ",DOLLARID"
-$       CCDISABLEWARNINGS = "/WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
+$       CCDISABLEWARNINGS = " /WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
 $     ENDIF
-$     CC4DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))"
+$     CC4DISABLEWARNINGS = " /WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))"
 $   ELSE
 $     CCDISABLEWARNINGS = ""
 $     CC4DISABLEWARNINGS = ""
 $   ENDIF
-$   CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
+$   CC = CC + " /DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
 $!
 $!  Show user the result
 $!
 $   WRITE /SYMBOL SYS$OUTPUT "Main Compiling Command: ", CC
 $!
-$!  Else The User Entered An Invalid Arguement.
+$!  Else The User Entered An Invalid Argument.
 $!
 $ ELSE
 $!
@@ -760,7 +919,7 @@ $   THEN
 $!
 $!    Set the library to use SOCKETSHR
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT /OPTIONS"
+$     TCPIP_LIB = ",SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT /OPTIONS"
 $!
 $!    Done with SOCKETSHR
 $!
@@ -786,13 +945,13 @@ $   THEN
 $!
 $!    Set the library to use UCX.
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT /OPTIONS"
+$     TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT /OPTIONS"
 $     IF F$TRNLNM("UCX$IPC_SHR") .NES. ""
 $     THEN
-$       TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT /OPTIONS"
+$       TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT /OPTIONS"
 $     ELSE
 $       IF COMPILER .NES. "DECC" .AND. ARCH .EQS. "VAX" THEN -
-	  TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT /OPTIONS"
+	  TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT /OPTIONS"
 $     ENDIF
 $!
 $!    Done with UCX
@@ -806,7 +965,7 @@ $   THEN
 $!
 $!    Set the library to use TCPIP (post UCX).
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT /OPTIONS"
+$     TCPIP_LIB = ",SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT /OPTIONS"
 $!
 $!    Done with TCPIP
 $!
@@ -827,9 +986,9 @@ $   ENDIF
 $!
 $!  Print info
 $!
-$   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB
+$   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB- ","
 $!
-$!  Else The User Entered An Invalid Arguement.
+$!  Else The User Entered An Invalid Argument.
 $!
 $ ELSE
 $!
diff --git a/src/lib/libssl/src/test/tcrl.com b/src/lib/libssl/src/test/tcrl.com
index 1f606eb850..dd96a2b6dd 100644
--- a/src/lib/libssl/src/test/tcrl.com
+++ b/src/lib/libssl/src/test/tcrl.com
@@ -1,14 +1,17 @@
 $! TCRL.COM  --  Tests crl keys
 $
-$	__arch := VAX
+$	__arch = "VAX"
 $	if f$getsyi("cpu") .ge. 128 then -
 	   __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
-$	if __arch .eqs. "" then __arch := UNK
-$	exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$	if __arch .eqs. "" then __arch = "UNK"
+$!
+$	if (p2 .eqs. "64") then __arch = __arch+ "_64"
+$!
+$	exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
 $
-$	cmd := mcr 'exe_dir'openssl crl
+$	cmd = "mcr ''exe_dir'openssl crl"
 $
-$	t := testcrl.pem
+$	t = "testcrl.pem"
 $	if p1 .nes. "" then t = p1
 $
 $	write sys$output "testing CRL conversions"
diff --git a/src/lib/libssl/src/test/testca.com b/src/lib/libssl/src/test/testca.com
index ec7e56dad6..78cda9ec5a 100644
--- a/src/lib/libssl/src/test/testca.com
+++ b/src/lib/libssl/src/test/testca.com
@@ -1,11 +1,13 @@
 $! TESTCA.COM
 $
-$	__arch := VAX
+$	__arch = "VAX"
 $	if f$getsyi("cpu") .ge. 128 then -
 	   __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
-$	if __arch .eqs. "" then __arch := UNK
+$	if __arch .eqs. "" then __arch = "UNK"
+$!
+$       if (p1 .eqs. "64") then __arch = __arch+ "_64"
 $
-$	openssl := mcr 'exe_dir'openssl
+$	openssl = "mcr ''exe_dir'openssl"
 $
 $	SSLEAY_CONFIG="-config ""CAss.cnf"""
 $
diff --git a/src/lib/libssl/src/test/testenc.com b/src/lib/libssl/src/test/testenc.com
index 621d9a2126..75acd6f07f 100644
--- a/src/lib/libssl/src/test/testenc.com
+++ b/src/lib/libssl/src/test/testenc.com
@@ -1,13 +1,16 @@
 $! TESTENC.COM  --  Test encoding and decoding
 $
-$	__arch := VAX
+$	__arch = "VAX"
 $	if f$getsyi("cpu") .ge. 128 then -
 	   __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
-$	if __arch .eqs. "" then __arch := UNK
+$	if __arch .eqs. "" then __arch = "UNK"
+$!
+$	if (p1 .eqs. 64) then __arch = __arch+ "_64"
 $
-$	testsrc := makefile.
-$	test := p.txt
-$	cmd := mcr 'exe_dir'openssl
+$	exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
+$	testsrc = "makefile."
+$	test = "p.txt"
+$	cmd = "mcr ''exe_dir'openssl"
 $
 $	if f$search(test) .nes. "" then delete 'test';*
 $	convert/fdl=sys$input: 'testsrc' 'test'
diff --git a/src/lib/libssl/src/test/testgen.com b/src/lib/libssl/src/test/testgen.com
index a4bc574bec..e076da2f30 100644
--- a/src/lib/libssl/src/test/testgen.com
+++ b/src/lib/libssl/src/test/testgen.com
@@ -1,14 +1,15 @@
-$! TETSGEN.COM
+$! TESTGEN.COM
 $
-$	__arch := VAX
+$	__arch = "VAX"
 $	if f$getsyi("cpu") .ge. 128 then -
 	   __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
-$	if __arch .eqs. "" then __arch := UNK
-$	exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$	if __arch .eqs. "" then __arch = "UNK"
+$	if (p1 .eqs. 64) then __arch = __arch+ "_64"
+$	exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
 $
-$	T := testcert
+$	T = "testcert"
 $	KEY = 512
-$	CA := [-.certs]testca.pem
+$	CA = "[-.certs]testca.pem"
 $
 $	set noon
 $	if f$search(T+".1;*") .nes. "" then delete 'T'.1;*
@@ -20,7 +21,8 @@ $	write sys$output "generating certificate request"
 $
 $	append/new nl: .rnd
 $	open/append random_file .rnd
-$	write random_file "string to make the random number generator think it has entropy"
+$	write random_file -
+	 "string to make the random number generator think it has entropy"
 $	close random_file
 $
 $	set noon
@@ -33,8 +35,10 @@ $	then
 $	    req_new="-newkey dsa:[-.apps]dsa512.pem"
 $	else
 $	    req_new="-new"
-$	    write sys$output "There should be a 2 sequences of .'s and some +'s."
-$	    write sys$output "There should not be more that at most 80 per line"
+$	    write sys$output -
+	     "There should be a 2 sequences of .'s and some +'s."
+$	    write sys$output -
+	     "There should not be more that at most 80 per line"
 $	endif
 $
 $	write sys$output "This could take some time."
diff --git a/src/lib/libssl/src/test/tests.com b/src/lib/libssl/src/test/tests.com
index d151cd3955..373dd16eac 100644
--- a/src/lib/libssl/src/test/tests.com
+++ b/src/lib/libssl/src/test/tests.com
@@ -1,22 +1,43 @@
 $! TESTS.COM  --  Performs the necessary tests
 $!
 $! P1	tests to be performed.  Empty means all.
-$
+$! P2	Pointer size: "", "32", or "64".
+$!
+$! Announce/identify.
+$!
+$	proc = f$environment( "procedure")
+$	write sys$output "@@@ "+ -
+	 f$parse( proc, , , "name")+ f$parse( proc, , , "type")
+$!
 $	__proc = f$element(0,";",f$environment("procedure"))
 $	__here = f$parse(f$parse("A.;",__proc) - "A.;","[]A.;") - "A.;"
 $	__save_default = f$environment("default")
-$	__arch := VAX
+$	__arch = "VAX"
 $	if f$getsyi("cpu") .ge. 128 then -
 	   __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
-$	if __arch .eqs. "" then __arch := UNK
-$	texe_dir := sys$disk:[-.'__arch'.exe.test]
-$	exe_dir := sys$disk:[-.'__arch'.exe.apps]
-$
-$	sslroot = f$parse("sys$disk:[-.apps];",,,,"syntax_only") - "].;"+ ".]"
-$	define /translation_attributes = concealed sslroot 'sslroot'
+$	if __arch .eqs. "" then __arch = "UNK"
+$!
+$	__archd = __arch
+$       pointer_size = ""
+$	if (p2 .eq. "64")
+$	then
+$	  pointer_size = "64"
+$	  __archd = __arch+ "_64"
+$	endif
+$!
+$	texe_dir := sys$disk:[-.'__archd'.exe.test]
+$	exe_dir := sys$disk:[-.'__archd'.exe.apps]
 $
 $	set default '__here'
 $
+$       ROOT = F$PARSE("sys$disk:[-]A.;0",,,,"SYNTAX_ONLY,NO_CONCEAL") - "A.;0"
+$       ROOT_DEV = F$PARSE(ROOT,,,"DEVICE","SYNTAX_ONLY")
+$       ROOT_DIR = F$PARSE(ROOT,,,"DIRECTORY","SYNTAX_ONLY") -
+                   - ".][000000" - "[000000." - "][" - "[" - "]"
+$       ROOT = ROOT_DEV + "[" + ROOT_DIR
+$       DEFINE/NOLOG SSLROOT 'ROOT'.APPS.] /TRANS=CONC
+$	openssl_conf := sslroot:[000000]openssl-vms.cnf
+$
 $	on control_y then goto exit
 $	on error then goto exit
 $
@@ -70,17 +91,19 @@ $	ENGINETEST :=	enginetest
 $	EVPTEST :=	evp_test
 $	IGETEST :=	igetest
 $	JPAKETEST :=	jpaketest
-$
+$	ASN1TEST :=	asn1test
+$!
 $	tests_i = 0
 $ loop_tests:
 $	tests_e = f$element(tests_i,",",tests)
 $	tests_i = tests_i + 1
 $	if tests_e .eqs. "," then goto exit
+$	write sys$output "---> ''tests_e'"
 $	gosub 'tests_e'
 $	goto loop_tests
 $
 $ test_evp:
-$	mcr 'texe_dir''evptest' evptests.txt
+$	mcr 'texe_dir''evptest' 'ROOT'.CRYPTO.EVP]evptests.txt
 $	return
 $ test_des:
 $	mcr 'texe_dir''destest'
@@ -132,68 +155,109 @@ $ test_rand:
 $	mcr 'texe_dir''randtest'
 $	return
 $ test_enc:
-$	@testenc.com
+$	@testenc.com 'pointer_size'
 $	return
 $ test_x509:
-$	define sys$error nla0:
+$	set noon
+$	define sys$error test_x509.err
 $	write sys$output "test normal x509v1 certificate"
-$	@tx509.com
+$	@tx509.com "" 'pointer_size'
 $	write sys$output "test first x509v3 certificate"
-$	@tx509.com v3-cert1.pem
+$	@tx509.com v3-cert1.pem 'pointer_size'
 $	write sys$output "test second x509v3 certificate"
-$	@tx509.com v3-cert2.pem
+$	@tx509.com v3-cert2.pem 'pointer_size'
 $	deassign sys$error
+$	set on
 $	return
 $ test_rsa:
-$	define sys$error nla0:
-$	@trsa.com
+$	set noon
+$	define sys$error test_rsa.err
+$	@trsa.com "" 'pointer_size'
 $	deassign sys$error
 $	mcr 'texe_dir''rsatest'
+$	set on
 $	return
 $ test_crl:
-$	define sys$error nla0:
-$	@tcrl.com
+$	set noon
+$	define sys$error test_crl.err
+$	@tcrl.com "" 'pointer_size'
 $	deassign sys$error
+$	set on
 $	return
 $ test_sid:
-$	define sys$error nla0:
-$	@tsid.com
+$	set noon
+$	define sys$error test_sid.err
+$	@tsid.com "" 'pointer_size'
 $	deassign sys$error
+$	set on
 $	return
 $ test_req:
-$	define sys$error nla0:
-$	@treq.com
-$	@treq.com testreq2.pem
+$	set noon
+$	define sys$error test_req.err
+$	@treq.com "" 'pointer_size'
+$	@treq.com testreq2.pem 'pointer_size'
 $	deassign sys$error
+$	set on
 $	return
 $ test_pkcs7:
-$	define sys$error nla0:
-$	@tpkcs7.com
-$	@tpkcs7d.com
+$	set noon
+$	define sys$error test_pkcs7.err
+$	@tpkcs7.com "" 'pointer_size'
+$	@tpkcs7d.com "" 'pointer_size'
 $	deassign sys$error
+$	set on
 $	return
 $ test_bn:
-$	write sys$output "starting big number library test, could take a while..."
-$	create bntest-vms.fdl
+$	write sys$output -
+	      "starting big number library test, could take a while..."
+$	set noon
+$	define sys$error test_bn.err
+$	define sys$output test_bn.out
+$	@ bctest.com
+$	status = $status
+$	deassign sys$error
+$	deassign sys$output
+$	set on
+$	if (status)
+$	then
+$	    create /fdl = sys$input bntest-vms.tmp
+FILE
+	ORGANIZATION	sequential
+RECORD
+	FORMAT		stream_lf
+$	    define /user_mode sys$output bntest-vms.tmp
+$	    mcr 'texe_dir''bntest'
+$	    define /user_mode sys$input bntest-vms.tmp
+$	    define /user_mode sys$output bntest-vms.out
+$	    bc
+$	    @ bntest.com bntest-vms.out
+$	    status = $status
+$	    if (status)
+$	    then
+$		delete bntest-vms.out;*
+$		delete bntest-vms.tmp;*
+$	    endif
+$	else
+$	    create /fdl = sys$input bntest-vms.sh
 FILE
 	ORGANIZATION	sequential
 RECORD
 	FORMAT		stream_lf
-$	create/fdl=bntest-vms.fdl bntest-vms.sh
-$	open/append foo bntest-vms.sh
-$	type/output=foo: sys$input:
+$	    open /append bntest_file bntest-vms.sh
+$	    type /output = bntest_file sys$input:
 << __FOO__ sh -c "`sh ./bctest`" | perl -e '$i=0; while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $1";} elsif (!/^0$/) {die "\nFailed! bc: $_";} else {print STDERR "."; $i++;}} print STDERR "\n$i tests passed\n"'
-$	define/user sys$output bntest-vms.tmp
-$	mcr 'texe_dir''bntest'
-$	copy bntest-vms.tmp foo:
-$	delete bntest-vms.tmp;*
-$	type/output=foo: sys$input:
+$	    define /user_mode sys$output bntest-vms.tmp
+$	    mcr 'texe_dir''bntest'
+$	    copy bntest-vms.tmp bntest_file
+$	    delete bntest-vms.tmp;*
+$	    type /output = bntest_file sys$input:
 __FOO__
-$	close foo
-$	write sys$output "-- copy the [.test]bntest-vms.sh and [.test]bctest files to a Unix system and"
-$	write sys$output "-- run bntest-vms.sh through sh or bash to verify that the bignum operations"
-$	write sys$output "-- went well."
-$	write sys$output ""
+$	    close bntest_file
+$	    write sys$output "-- copy the [.test]bntest-vms.sh and [.test]bctest files to a Unix system and"
+$	    write sys$output "-- run bntest-vms.sh through sh or bash to verify that the bignum operations"
+$	    write sys$output "-- went well."
+$	    write sys$output ""
+$	endif
 $	write sys$output "test a^b%c implementations"
 $	mcr 'texe_dir''exptest'
 $	return
@@ -212,7 +276,7 @@ $	return
 $ test_verify:
 $	write sys$output "The following command should have some OK's and some failures"
 $	write sys$output "There are definitly a few expired certificates"
-$	@tverify.com
+$	@tverify.com 'pointer_size'
 $	return
 $ test_dh:
 $	write sys$output "Generate a set of DH parameters"
@@ -224,7 +288,7 @@ $	mcr 'texe_dir''dsatest'
 $	return
 $ test_gen:
 $	write sys$output "Generate and verify a certificate request"
-$	@testgen.com
+$	@testgen.com 'pointer_size'
 $	return
 $ maybe_test_ss:
 $	testss_RDT = f$cvtime(f$file_attributes("testss.com","RDT"))
@@ -237,7 +301,7 @@ $	if f$cvtime(f$file_attributes("certCA.ss","RDT")) .les. testss_RDT then -
 $	return
 $ test_ss:
 $	write sys$output "Generate and certify a test certificate"
-$	@testss.com
+$	@testss.com 'pointer_size'
 $	return
 $ test_engine: 
 $	write sys$output "Manipulate the ENGINE structures"
@@ -246,11 +310,11 @@ $	return
 $ test_ssl:
 $	write sys$output "test SSL protocol"
 $	gosub maybe_test_ss
-$	@testssl.com keyU.ss certU.ss certCA.ss
+$	@testssl.com keyU.ss certU.ss certCA.ss 'pointer_size'
 $	return
 $ test_ca:
 $	set noon
-$	define/user sys$output nla0:
+$	define /user_mode sys$output test_ca.out
 $	mcr 'exe_dir'openssl no-rsa
 $	save_severity=$SEVERITY
 $	set on
@@ -259,7 +323,7 @@ $	then
 $	    write sys$output "skipping CA.com test -- requires RSA"
 $	else
 $	    write sys$output "Generate and certify a test certificate via the 'ca' program"
-$	    @testca.com
+$	    @testca.com 'pointer_size'
 $	endif
 $	return
 $ test_aes: 
@@ -268,7 +332,7 @@ $!	!mcr 'texe_dir''aestest'
 $	return
 $ test_tsa:
 $	set noon
-$	define/user sys$output nla0:
+$	define /user_mode sys$output nla0:
 $	mcr 'exe_dir'openssl no-rsa
 $	save_severity=$SEVERITY
 $	set on
@@ -276,7 +340,7 @@ $	if save_severity
 $	then
 $	    write sys$output "skipping testtsa.com test -- requires RSA"
 $	else
-$	    @testtsa.com
+$	    @testtsa.com "" "" "" 'pointer_size'
 $	endif
 $	return
 $ test_ige: 
@@ -289,11 +353,14 @@ $	mcr 'texe_dir''jpaketest'
 $	return
 $ test_cms:
 $	write sys$output "CMS consistency test"
+$	! Define the logical name used to find openssl.exe in the perl script.
+$	define /user_mode osslx 'exe_dir'
 $	perl CMS-TEST.PL
 $	return
 $
 $
 $ exit:
+$	mcr 'exe_dir'openssl version -a
 $	set default '__save_default'
 $	deassign sslroot
 $	exit
diff --git a/src/lib/libssl/src/test/testss.com b/src/lib/libssl/src/test/testss.com
index 6598106b09..32a74d0fc2 100644
--- a/src/lib/libssl/src/test/testss.com
+++ b/src/lib/libssl/src/test/testss.com
@@ -1,16 +1,19 @@
 $! TESTSS.COM
 $
-$	__arch := VAX
+$	__arch = "VAX"
 $	if f$getsyi("cpu") .ge. 128 then -
 	   __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
-$	if __arch .eqs. "" then __arch := UNK
-$	exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$	if __arch .eqs. "" then __arch = "UNK"
+$!
+$	if (p1 .eqs. "64") then __arch = __arch+ "_64"
+$!
+$	exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
 $
 $	digest="-md5"
-$	reqcmd := mcr 'exe_dir'openssl req
-$	x509cmd := mcr 'exe_dir'openssl x509 'digest'
-$	verifycmd := mcr 'exe_dir'openssl verify
-$	dummycnf := sys$disk:[-.apps]openssl-vms.cnf
+$	reqcmd = "mcr ''exe_dir'openssl req"
+$	x509cmd = "mcr ''exe_dir'openssl x509 ''digest'"
+$	verifycmd = "mcr ''exe_dir'openssl verify"
+$	dummycnf = "sys$disk:[-.apps]openssl-vms.cnf"
 $
 $	CAkey="""keyCA.ss"""
 $	CAcert="""certCA.ss"""
diff --git a/src/lib/libssl/src/test/testssl.com b/src/lib/libssl/src/test/testssl.com
index 9c83afba04..f19edc4719 100644
--- a/src/lib/libssl/src/test/testssl.com
+++ b/src/lib/libssl/src/test/testssl.com
@@ -1,11 +1,14 @@
 $! TESTSSL.COM
 $
-$	__arch := VAX
+$	__arch = "VAX"
 $	if f$getsyi("cpu") .ge. 128 then -
 	   __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
-$	if __arch .eqs. "" then __arch := UNK
-$	texe_dir := sys$disk:[-.'__arch'.exe.test]
-$	exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$	if __arch .eqs. "" then __arch = "UNK"
+$!
+$	if (p4 .eqs. "64") then __arch = __arch+ "_64"
+$!
+$	texe_dir = "sys$disk:[-.''__arch'.exe.test]"
+$	exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
 $
 $	if p1 .eqs. ""
 $	then
@@ -19,21 +22,21 @@ $	    cert="[-.apps]server.pem"
 $	else
 $	    cert=p2
 $	endif
-$	ssltest := mcr 'texe_dir'ssltest -key 'key' -cert 'cert' -c_key 'key' -c_cert 'cert'
-$
+$	ssltest = "mcr ''texe_dir'ssltest -key ''key'"+ -
+	 " -cert ''cert' -c_key ''key' -c_cert ''cert'"
+$!
+$	set noon
 $	define/user sys$output testssl-x509-output.
 $	define/user sys$error nla0:
 $	mcr 'exe_dir'openssl x509 -in 'cert' -text -noout
-$	set noon
 $	define/user sys$error nla0:
 $	search/output=nla0: testssl-x509-output. "DSA Public Key"/exact
 $	if $severity .eq. 1
 $	then
-$	    dsa_cert := YES
+$	    dsa_cert = "YES"
 $	else
-$	    dsa_cert := NO
+$	    dsa_cert = "NO"
 $	endif
-$	set on
 $	delete testssl-x509-output.;*
 $
 $	if p3 .eqs. ""
@@ -161,14 +164,12 @@ $	if $severity .ne. 1 then goto exit3
 $
 $!###########################################################################
 $
-$	set noon
 $	define/user sys$output nla0:
 $	mcr 'exe_dir'openssl no-rsa
 $	no_rsa=$SEVERITY
 $	define/user sys$output nla0:
 $	mcr 'exe_dir'openssl no-dh
 $	no_dh=$SEVERITY
-$	set on
 $
 $	if no_dh
 $	then
@@ -203,4 +204,5 @@ $ exit3:
 $	RET = 3
 $ exit:
 $	if p3 .eqs. "" then delete certs.tmp;*
+$	set on
 $	exit 'RET'
diff --git a/src/lib/libssl/src/test/testtsa.com b/src/lib/libssl/src/test/testtsa.com
index e3c586f14a..29fb1d0e63 100644
--- a/src/lib/libssl/src/test/testtsa.com
+++ b/src/lib/libssl/src/test/testtsa.com
@@ -2,14 +2,17 @@ $!
 $! A few very basic tests for the 'ts' time stamping authority command.
 $!
 $
-$	__arch := VAX
+$	__arch = "VAX"
 $	if f$getsyi("cpu") .ge. 128 then -
 	   __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
-$	if __arch .eqs. "" then __arch := UNK
-$	exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$	if __arch .eqs. "" then __arch = "UNK"
+$!
+$	if (p4 .eqs. "64") then __arch = __arch+ "_64"
+$!
+$	exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
 $
-$	openssl := mcr 'f$parse(exe_dir+"openssl.exe")'
-$	OPENSSL_CONF := [-]CAtsa.cnf
+$	openssl = "mcr ''f$parse(exe_dir+"openssl.exe")'"
+$	OPENSSL_CONF = "[-]CAtsa.cnf"
 $	! Because that's what ../apps/CA.sh really looks at
 $	SSLEAY_CONFIG = "-config " + OPENSSL_CONF
 $
@@ -114,8 +117,8 @@ $
 $ time_stamp_response_token_test:
 $	subroutine
 $
-$		RESPONSE2:='p2'.copy_tsr
-$		TOKEN_DER:='p2'.token_der
+$		RESPONSE2 = p2+ "-copy_tsr"
+$		TOKEN_DER = p2+ "-token_der"
 $		openssl ts -reply -in 'p2' -out 'TOKEN_DER' -token_out
 $		if $severity .ne. 1 then call error
 $		openssl ts -reply -in 'TOKEN_DER' -token_in -out 'RESPONSE2'
@@ -145,13 +148,13 @@ $ verify_time_stamp_token:
 $	subroutine
 $
 $		! create the token from the response first
-$		openssl ts -reply -in 'p2' -out 'p2'.token -token_out
+$		openssl ts -reply -in "''p2'" -out "''p2'-token" -token_out
 $		if $severity .ne. 1 then call error
-$		openssl ts -verify -queryfile 'p1' -in 'p2'.token -token_in -
-			"-CAfile" tsaca.pem -untrusted tsa_cert1.pem
+$		openssl ts -verify -queryfile "''p1'" -in "''p2'-token" -
+		 -token_in "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
 $		if $severity .ne. 1 then call error
-$		openssl ts -verify -data 'p3' -in 'p2'.token -token_in -
-			"-CAfile" tsaca.pem -untrusted tsa_cert1.pem
+$		openssl ts -verify -data "''p3'" -in "''p2'-token" -
+		 -token_in "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
 $		if $severity .ne. 1 then call error
 $	endsubroutine
 $
@@ -167,6 +170,8 @@ $	endsubroutine
 $
 $	! Main body ----------------------------------------------------------
 $
+$	set noon
+$
 $	write sys$output "Setting up TSA test directory..."
 $	call setup_dir
 $
@@ -183,66 +188,68 @@ $	write sys$output "Creating req1.req time stamp request for file testtsa..."
 $	call create_time_stamp_request1
 $
 $	write sys$output "Printing req1.req..."
-$	call print_request req1.tsq
+$	call print_request "req1.tsq"
 $
 $	write sys$output "Generating valid response for req1.req..."
-$	call create_time_stamp_response req1.tsq resp1.tsr tsa_config1
+$	call create_time_stamp_response "req1.tsq" "resp1.tsr" "tsa_config1"
 $
 $	write sys$output "Printing response..."
-$	call print_response resp1.tsr
+$	call print_response "resp1.tsr"
 $
 $	write sys$output "Verifying valid response..."
-$	call verify_time_stamp_response req1.tsq resp1.tsr [-]testtsa.com
+$	call verify_time_stamp_response "req1.tsq" "resp1.tsr" "[-]testtsa.com"
 $
 $	write sys$output "Verifying valid token..."
-$	call verify_time_stamp_token req1.tsq resp1.tsr [-]testtsa.com
+$	call verify_time_stamp_token "req1.tsq" "resp1.tsr" "[-]testtsa.com"
 $
 $	! The tests below are commented out, because invalid signer certificates
 $	! can no longer be specified in the config file.
 $
 $	! write sys$output "Generating _invalid_ response for req1.req..."
-$	! call create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2
+$	! call create_time_stamp_response "req1.tsq" "resp1_bad.tsr" "tsa_config2"
 $
 $	! write sys$output "Printing response..."
-$	! call print_response resp1_bad.tsr
+$	! call print_response "resp1_bad.tsr"
 $
 $	! write sys$output "Verifying invalid response, it should fail..."
-$	! call verify_time_stamp_response_fail req1.tsq resp1_bad.tsr
+$	! call verify_time_stamp_response_fail "req1.tsq" "resp1_bad.tsr"
 $
 $	write sys$output "Creating req2.req time stamp request for file testtsa..."
 $	call create_time_stamp_request2
 $
 $	write sys$output "Printing req2.req..."
-$	call print_request req2.tsq
+$	call print_request "req2.tsq"
 $
 $	write sys$output "Generating valid response for req2.req..."
-$	call create_time_stamp_response req2.tsq resp2.tsr tsa_config1
+$	call create_time_stamp_response "req2.tsq" "resp2.tsr" "tsa_config1"
 $
 $	write sys$output "Checking '-token_in' and '-token_out' options with '-reply'..."
-$	call time_stamp_response_token_test req2.tsq resp2.tsr
+$	call time_stamp_response_token_test "req2.tsq" "resp2.tsr"
 $
 $	write sys$output "Printing response..."
-$	call print_response resp2.tsr
+$	call print_response "resp2.tsr"
 $
 $	write sys$output "Verifying valid response..."
-$	call verify_time_stamp_response req2.tsq resp2.tsr [-]testtsa.com
+$	call verify_time_stamp_response "req2.tsq" "resp2.tsr" "[-]testtsa.com"
 $
 $	write sys$output "Verifying response against wrong request, it should fail..."
-$	call verify_time_stamp_response_fail req1.tsq resp2.tsr
+$	call verify_time_stamp_response_fail "req1.tsq" "resp2.tsr"
 $
 $	write sys$output "Verifying response against wrong request, it should fail..."
-$	call verify_time_stamp_response_fail req2.tsq resp1.tsr
+$	call verify_time_stamp_response_fail "req2.tsq" "resp1.tsr"
 $
 $	write sys$output "Creating req3.req time stamp request for file CAtsa.cnf..."
 $	call create_time_stamp_request3
 $
 $	write sys$output "Printing req3.req..."
-$	call print_request req3.tsq
+$	call print_request "req3.tsq"
 $
 $	write sys$output "Verifying response against wrong request, it should fail..."
-$	call verify_time_stamp_response_fail req3.tsq resp1.tsr
+$	call verify_time_stamp_response_fail "req3.tsq" "resp1.tsr"
 $
 $	write sys$output "Cleaning up..."
 $	call clean_up_dir
 $
+$	set on
+$
 $	exit
diff --git a/src/lib/libssl/src/test/tpkcs7.com b/src/lib/libssl/src/test/tpkcs7.com
index e107cc141a..3fc4982bb0 100644
--- a/src/lib/libssl/src/test/tpkcs7.com
+++ b/src/lib/libssl/src/test/tpkcs7.com
@@ -1,14 +1,17 @@
 $! TPKCS7.COM  --  Tests pkcs7 keys
 $
-$	__arch := VAX
+$	__arch = "VAX"
 $	if f$getsyi("cpu") .ge. 128 then -
 	   __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
-$	if __arch .eqs. "" then __arch := UNK
-$	exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$	if __arch .eqs. "" then __arch = "UNK"
+$!
+$	if (p2 .eqs. "64") then __arch = __arch+ "_64"
+$!
+$	exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
 $
-$	cmd := mcr 'exe_dir'openssl pkcs7
+$	cmd = "mcr ''exe_dir'openssl pkcs7"
 $
-$	t := testp7.pem
+$	t = "testp7.pem"
 $	if p1 .nes. "" then t = p1
 $
 $	write sys$output "testing PKCS7 conversions"
diff --git a/src/lib/libssl/src/test/tpkcs7d.com b/src/lib/libssl/src/test/tpkcs7d.com
index 5ff653ccee..eea8c888ee 100644
--- a/src/lib/libssl/src/test/tpkcs7d.com
+++ b/src/lib/libssl/src/test/tpkcs7d.com
@@ -1,14 +1,17 @@
 $! TPKCS7.COM  --  Tests pkcs7 keys
 $
-$	__arch := VAX
+$	__arch = "VAX"
 $	if f$getsyi("cpu") .ge. 128 then -
 	   __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
-$	if __arch .eqs. "" then __arch := UNK
-$	exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$	if __arch .eqs. "" then __arch = "UNK"
+$!
+$	if (p2 .eqs. "64") then __arch = __arch+ "_64"
+$!
+$	exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
 $
-$	cmd := mcr 'exe_dir'openssl pkcs7
+$	cmd = "mcr ''exe_dir'openssl pkcs7"
 $
-$	t := pkcs7-1.pem
+$	t = "pkcs7-1.pem"
 $	if p1 .nes. "" then t = p1
 $
 $	write sys$output "testing PKCS7 conversions (2)"
diff --git a/src/lib/libssl/src/test/treq.com b/src/lib/libssl/src/test/treq.com
index d2594be6a7..acf08b79ef 100644
--- a/src/lib/libssl/src/test/treq.com
+++ b/src/lib/libssl/src/test/treq.com
@@ -1,14 +1,17 @@
 $! TREQ.COM  --  Tests req keys
 $
-$	__arch := VAX
+$	__arch = "VAX"
 $	if f$getsyi("cpu") .ge. 128 then -
 	   __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
-$	if __arch .eqs. "" then __arch := UNK
-$	exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$	if __arch .eqs. "" then __arch = "UNK"
+$!
+$	if (p2 .eqs. "64") then __arch = __arch+ "_64"
+$!
+$	exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
 $
-$	cmd := mcr 'exe_dir'openssl req -config [-.apps]openssl-vms.cnf
+$	cmd = "mcr ''exe_dir'openssl req -config [-.apps]openssl-vms.cnf"
 $
-$	t := testreq.pem
+$	t = "testreq.pem"
 $	if p1 .nes. "" then t = p1
 $
 $	write sys$output "testing req conversions"
diff --git a/src/lib/libssl/src/test/trsa.com b/src/lib/libssl/src/test/trsa.com
index d3a8a605b7..54180843ee 100644
--- a/src/lib/libssl/src/test/trsa.com
+++ b/src/lib/libssl/src/test/trsa.com
@@ -1,10 +1,13 @@
 $! TRSA.COM  --  Tests rsa keys
 $
-$	__arch := VAX
+$	__arch = "VAX"
 $	if f$getsyi("cpu") .ge. 128 then -
 	   __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
-$	if __arch .eqs. "" then __arch := UNK
-$	exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$	if __arch .eqs. "" then __arch = "UNK"
+$!
+$	if (p2 .eqs. "64") then __arch = __arch+ "_64"
+$!
+$	exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
 $
 $	set noon
 $	define/user sys$output nla0:
@@ -17,9 +20,9 @@ $	    write sys$output "skipping RSA conversion test"
 $	    exit
 $	endif
 $
-$	cmd := mcr 'exe_dir'openssl rsa
+$	cmd = "mcr ''exe_dir'openssl rsa"
 $
-$	t := testrsa.pem
+$	t = "testrsa.pem"
 $	if p1 .nes. "" then t = p1
 $
 $	write sys$output "testing RSA conversions"
diff --git a/src/lib/libssl/src/test/tsid.com b/src/lib/libssl/src/test/tsid.com
index 267ace1135..b6c4e49473 100644
--- a/src/lib/libssl/src/test/tsid.com
+++ b/src/lib/libssl/src/test/tsid.com
@@ -1,14 +1,17 @@
 $! TSID.COM  --  Tests sid keys
 $
-$	__arch := VAX
+$	__arch = "VAX"
 $	if f$getsyi("cpu") .ge. 128 then -
 	   __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
-$	if __arch .eqs. "" then __arch := UNK
-$	exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$	if __arch .eqs. "" then __arch = "UNK"
+$!
+$	if (p2 .eqs. "64") then __arch = __arch+ "_64"
+$!
+$	exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
 $
-$	cmd := mcr 'exe_dir'openssl sess_id
+$	cmd = "mcr ''exe_dir'openssl sess_id"
 $
-$	t := testsid.pem
+$	t = "testsid.pem"
 $	if p1 .nes. "" then t = p1
 $
 $	write sys$output "testing session-id conversions"
diff --git a/src/lib/libssl/src/test/tverify.com b/src/lib/libssl/src/test/tverify.com
index 01431f4aac..d888344637 100644
--- a/src/lib/libssl/src/test/tverify.com
+++ b/src/lib/libssl/src/test/tverify.com
@@ -1,13 +1,15 @@
 $! TVERIFY.COM
 $
-$	__arch := VAX
+$	__arch = "VAX"
 $	if f$getsyi("cpu") .ge. 128 then -
 	   __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
-$	if __arch .eqs. "" then __arch := UNK
+$	if __arch .eqs. "" then __arch = "UNK"
+$!
+$	if (p1 .eqs. "64") then __arch = __arch+ "_64"
 $!
 $	line_max = 255 ! Could be longer on modern non-VAX.
 $	temp_file_name = "certs_"+ f$getjpi( "", "PID")+ ".tmp"
-$	exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$	exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
 $	cmd = "mcr ''exe_dir'openssl verify ""-CAfile"" ''temp_file_name'"
 $	cmd_len = f$length( cmd)
 $	pems = "[-.certs...]*.pem"
@@ -19,7 +21,7 @@ $!
 $!	Loop through all the certificate files.
 $!
 $	args = ""
-$	old_f :=
+$	old_f = ""
 $ loop_file: 
 $	    f = f$search( pems)
 $	    if ((f .nes. "") .and. (f .nes. old_f))
diff --git a/src/lib/libssl/src/test/tx509.com b/src/lib/libssl/src/test/tx509.com
index 399eb01490..93ce988b41 100644
--- a/src/lib/libssl/src/test/tx509.com
+++ b/src/lib/libssl/src/test/tx509.com
@@ -1,14 +1,17 @@
 $! TX509.COM  --  Tests x509 certificates
 $
-$	__arch := VAX
+$	__arch = "VAX"
 $	if f$getsyi("cpu") .ge. 128 then -
 	   __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
-$	if __arch .eqs. "" then __arch := UNK
-$	exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$	if __arch .eqs. "" then __arch = "UNK"
+$!
+$	if (p2 .eqs. "64") then __arch = __arch+ "_64"
+$!
+$	exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
 $
-$	cmd := mcr 'exe_dir'openssl x509
+$	cmd = "mcr ''exe_dir'openssl x509"
 $
-$	t := testx509.pem
+$	t = "testx509.pem"
 $	if p1 .nes. "" then t = p1
 $
 $	write sys$output "testing X509 conversions"
diff --git a/src/lib/libssl/src/util/cygwin.sh b/src/lib/libssl/src/util/cygwin.sh
index a4f2e740b4..d6228521e6 100644
--- a/src/lib/libssl/src/util/cygwin.sh
+++ b/src/lib/libssl/src/util/cygwin.sh
@@ -8,7 +8,7 @@
 #set -x
 
 CONFIG_OPTIONS="--prefix=/usr shared zlib no-idea no-rc5"
-INSTALL_PREFIX=/tmp/install
+INSTALL_PREFIX=/tmp/install/INSTALL
 
 VERSION=
 SUBVERSION=$1
@@ -124,8 +124,12 @@ strip usr/bin/*.exe usr/bin/*.dll usr/lib/engines/*.so
 chmod u-w usr/lib/engines/*.so
 
 # Runtime package
-find etc usr/bin usr/lib/engines usr/share/doc usr/ssl/certs \
-     usr/ssl/man/man[157] usr/ssl/misc usr/ssl/openssl.cnf usr/ssl/private \
+tar cjf libopenssl${VERSION//[!0-9]/}-${VERSION}-${SUBVERSION}.tar.bz2 \
+     usr/bin/cyg*dll
+# Base package
+find etc usr/bin/openssl.exe usr/bin/c_rehash usr/lib/engines usr/share/doc \
+     usr/ssl/certs usr/ssl/man/man[157] usr/ssl/misc usr/ssl/openssl.cnf \
+     usr/ssl/private \
      -empty -o \! -type d |
 tar cjfT openssl-${VERSION}-${SUBVERSION}.tar.bz2 -
 # Development package
@@ -135,6 +139,7 @@ tar cjfT openssl-devel-${VERSION}-${SUBVERSION}.tar.bz2 -
 
 ls -l openssl-${VERSION}-${SUBVERSION}.tar.bz2
 ls -l openssl-devel-${VERSION}-${SUBVERSION}.tar.bz2
+ls -l libopenssl${VERSION//[!0-9]/}-${VERSION}-${SUBVERSION}.tar.bz2
 
 cleanup
 
diff --git a/src/lib/libssl/src/util/libeay.num b/src/lib/libssl/src/util/libeay.num
index 6f3067ae2b..b23619f20a 100644
--- a/src/lib/libssl/src/util/libeay.num
+++ b/src/lib/libssl/src/util/libeay.num
@@ -4178,3 +4178,19 @@ UI_method_get_prompt_constructr         4550	EXIST:VMS:FUNCTION:
 UI_method_set_prompt_constructor        4551	EXIST:!VMS:FUNCTION:
 UI_method_set_prompt_constructr         4551	EXIST:VMS:FUNCTION:
 EVP_read_pw_string_min                  4552	EXIST::FUNCTION:
+CRYPTO_cts128_encrypt                   4553	EXIST::FUNCTION:
+CRYPTO_cts128_decrypt_block             4554	EXIST::FUNCTION:
+CRYPTO_cfb128_1_encrypt                 4555	EXIST::FUNCTION:
+CRYPTO_cbc128_encrypt                   4556	EXIST::FUNCTION:
+CRYPTO_ctr128_encrypt                   4557	EXIST::FUNCTION:
+CRYPTO_ofb128_encrypt                   4558	EXIST::FUNCTION:
+CRYPTO_cts128_decrypt                   4559	EXIST::FUNCTION:
+CRYPTO_cts128_encrypt_block             4560	EXIST::FUNCTION:
+CRYPTO_cbc128_decrypt                   4561	EXIST::FUNCTION:
+CRYPTO_cfb128_encrypt                   4562	EXIST::FUNCTION:
+CRYPTO_cfb128_8_encrypt                 4563	EXIST::FUNCTION:
+OPENSSL_strcasecmp                      4564	EXIST::FUNCTION:
+OPENSSL_memcmp                          4565	EXIST::FUNCTION:
+OPENSSL_strncasecmp                     4566	EXIST::FUNCTION:
+OPENSSL_gmtime                          4567	EXIST::FUNCTION:
+OPENSSL_gmtime_adj                      4568	EXIST::FUNCTION:
diff --git a/src/lib/libssl/src/util/mk1mf.pl b/src/lib/libssl/src/util/mk1mf.pl
index 280e9de1ad..afe8c7326d 100644
--- a/src/lib/libssl/src/util/mk1mf.pl
+++ b/src/lib/libssl/src/util/mk1mf.pl
@@ -13,6 +13,7 @@ $banner="\t\@echo Building OpenSSL";
 
 my $no_static_engine = 1;
 my $engines = "";
+my $otherlibs = "";
 local $zlib_opt = 0;	# 0 = no zlib, 1 = static, 2 = dynamic
 local $zlib_lib = "";
 local $perl_asm = 0;	# 1 to autobuild asm files from perl scripts
@@ -266,6 +267,7 @@ $cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5;
 $cflags.=" -DOPENSSL_NO_EC"   if $no_ec;
 $cflags.=" -DOPENSSL_NO_ECDSA" if $no_ecdsa;
 $cflags.=" -DOPENSSL_NO_ECDH" if $no_ecdh;
+$cflags.=" -DOPENSSL_NO_GOST" if $no_gost;
 $cflags.=" -DOPENSSL_NO_ENGINE"   if $no_engine;
 $cflags.=" -DOPENSSL_NO_HW"   if $no_hw;
 $cflags.=" -DOPENSSL_NO_JPAKE"    if $no_jpake;
@@ -356,6 +358,12 @@ for (;;)
 		$lib=$val;
 		$lib =~ s/^.*\/([^\/]+)$/$1/;
 		}
+	if ($key eq "LIBNAME" && $no_static_engine)
+		{
+		$lib=$val;
+		$lib =~ s/^.*\/([^\/]+)$/$1/;
+		$otherlibs .= " $lib";
+		}
 
 	if ($key eq "EXHEADER")
 		{ $exheader.=&var_add($dir,$val, 1); }
@@ -658,7 +666,7 @@ foreach (split(/\s+/,$test))
 	$rules.=&do_link_rule("\$(TEST_D)$o$t$exep",$tt,"\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
 	}
 
-$defs.=&do_defs("E_SHLIB",$engines,"\$(ENG_D)",$shlibp);
+$defs.=&do_defs("E_SHLIB",$engines . $otherlibs,"\$(ENG_D)",$shlibp);
 
 foreach (split(/\s+/,$engines))
 	{
@@ -671,6 +679,14 @@ foreach (split(/\s+/,$engines))
 $rules.= &do_lib_rule("\$(SSLOBJ)","\$(O_SSL)",$ssl,$shlib,"\$(SO_SSL)");
 $rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)");
 
+foreach (split(" ",$otherlibs))
+	{
+	my $uc = $_;
+	$uc =~ tr /a-z/A-Z/;	
+	$rules.= &do_lib_rule("\$(${uc}OBJ)","\$(ENG_D)$o$_$shlibp", "", $shlib, "");
+
+	}
+
 $rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
 
 print $defs;
@@ -708,6 +724,7 @@ sub var_add
 	return("") if $no_dsa  && $dir =~ /\/dsa/;
 	return("") if $no_dh   && $dir =~ /\/dh/;
 	return("") if $no_ec   && $dir =~ /\/ec/;
+	return("") if $no_gost   && $dir =~ /\/ccgost/;
 	return("") if $no_cms  && $dir =~ /\/cms/;
 	return("") if $no_jpake  && $dir =~ /\/jpake/;
 	if ($no_des && $dir =~ /\/des/)
@@ -1047,6 +1064,7 @@ sub read_options
 		"no-ec" => \$no_ec,
 		"no-ecdsa" => \$no_ecdsa,
 		"no-ecdh" => \$no_ecdh,
+		"no-gost" => \$no_gost,
 		"no-engine" => \$no_engine,
 		"no-hw" => \$no_hw,
 		"just-ssl" =>
diff --git a/src/lib/libssl/src/util/mkdef.pl b/src/lib/libssl/src/util/mkdef.pl
index a4a17e3ae9..ab47329097 100644
--- a/src/lib/libssl/src/util/mkdef.pl
+++ b/src/lib/libssl/src/util/mkdef.pl
@@ -257,6 +257,8 @@ $ssl.=" ssl/tls1.h";
 
 my $crypto ="crypto/crypto.h";
 $crypto.=" crypto/o_dir.h";
+$crypto.=" crypto/o_str.h";
+$crypto.=" crypto/o_time.h";
 $crypto.=" crypto/des/des.h crypto/des/des_old.h" ; # unless $no_des;
 $crypto.=" crypto/idea/idea.h" ; # unless $no_idea;
 $crypto.=" crypto/rc4/rc4.h" ; # unless $no_rc4;
@@ -316,6 +318,7 @@ $crypto.=" crypto/krb5/krb5_asn.h";
 $crypto.=" crypto/pqueue/pqueue.h";
 $crypto.=" crypto/cms/cms.h";
 $crypto.=" crypto/jpake/jpake.h";
+$crypto.=" crypto/modes/modes.h";
 
 my $symhacks="crypto/symhacks.h";
 
diff --git a/src/lib/libssl/src/util/mkerr.pl b/src/lib/libssl/src/util/mkerr.pl
index 15b774f277..2c99467d34 100644
--- a/src/lib/libssl/src/util/mkerr.pl
+++ b/src/lib/libssl/src/util/mkerr.pl
@@ -391,7 +391,7 @@ foreach $lib (keys %csrc)
 	} else {
 	    push @out,
 "/* ====================================================================\n",
-" * Copyright (c) 2001-2010 The OpenSSL Project.  All rights reserved.\n",
+" * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.\n",
 " *\n",
 " * Redistribution and use in source and binary forms, with or without\n",
 " * modification, are permitted provided that the following conditions\n",
@@ -576,7 +576,7 @@ EOF
 	print OUT <<"EOF";
 /* $cfile */
 /* ====================================================================
- * Copyright (c) 1999-2010 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/src/lib/libssl/src/util/mkstack.pl b/src/lib/libssl/src/util/mkstack.pl
index 6a43757c95..f708610a78 100644
--- a/src/lib/libssl/src/util/mkstack.pl
+++ b/src/lib/libssl/src/util/mkstack.pl
@@ -104,25 +104,25 @@ EOF
 
 #define sk_${t1}_new(cmp) ((STACK_OF($t1) *)sk_new(CHECKED_SK_CMP_FUNC($t2, cmp)))
 #define sk_${t1}_new_null() ((STACK_OF($t1) *)sk_new_null())
-#define sk_${t1}_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF($t1), st), CHECKED_PTR_OF($t2, val))
-#define sk_${t1}_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF($t1), st), CHECKED_PTR_OF($t2, val))
-#define sk_${t1}_value(st, i) (($t1)sk_value(CHECKED_PTR_OF(STACK_OF($t1), st), i))
+#define sk_${t1}_push(st, val) sk_push(CHECKED_STACK_OF($t1, st), CHECKED_PTR_OF($t2, val))
+#define sk_${t1}_find(st, val) sk_find(CHECKED_STACK_OF($t1, st), CHECKED_PTR_OF($t2, val))
+#define sk_${t1}_value(st, i) (($t1)sk_value(CHECKED_STACK_OF($t1, st), i))
 #define sk_${t1}_num(st) SKM_sk_num($t1, st)
-#define sk_${t1}_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF($t1), st), CHECKED_SK_FREE_FUNC2($t1, free_func))
-#define sk_${t1}_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF($t1), st), CHECKED_PTR_OF($t2, val), i)
+#define sk_${t1}_pop_free(st, free_func) sk_pop_free(CHECKED_STACK_OF($t1, st), CHECKED_SK_FREE_FUNC2($t1, free_func))
+#define sk_${t1}_insert(st, val, i) sk_insert(CHECKED_STACK_OF($t1, st), CHECKED_PTR_OF($t2, val), i)
 #define sk_${t1}_free(st) SKM_sk_free(${t1}, st)
-#define sk_${t1}_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF($t1), st), i, CHECKED_PTR_OF($t2, val))
+#define sk_${t1}_set(st, i, val) sk_set(CHECKED_STACK_OF($t1, st), i, CHECKED_PTR_OF($t2, val))
 #define sk_${t1}_zero(st) SKM_sk_zero($t1, (st))
-#define sk_${t1}_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF($t1), st), CHECKED_PTR_OF($t2, val))
+#define sk_${t1}_unshift(st, val) sk_unshift(CHECKED_STACK_OF($t1, st), CHECKED_PTR_OF($t2, val))
 #define sk_${t1}_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF($t1), st), CHECKED_CONST_PTR_OF($t2, val))
 #define sk_${t1}_delete(st, i) SKM_sk_delete($t1, (st), (i))
-#define sk_${t1}_delete_ptr(st, ptr) ($t1 *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF($t1), st), CHECKED_PTR_OF($t2, ptr))
+#define sk_${t1}_delete_ptr(st, ptr) ($t1 *)sk_delete_ptr(CHECKED_STACK_OF($t1, st), CHECKED_PTR_OF($t2, ptr))
 #define sk_${t1}_set_cmp_func(st, cmp)  \\
 	((int (*)(const $t2 * const *,const $t2 * const *)) \\
-	sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF($t1), st), CHECKED_SK_CMP_FUNC($t2, cmp)))
+	sk_set_cmp_func(CHECKED_STACK_OF($t1, st), CHECKED_SK_CMP_FUNC($t2, cmp)))
 #define sk_${t1}_dup(st) SKM_sk_dup($t1, st)
 #define sk_${t1}_shift(st) SKM_sk_shift($t1, (st))
-#define sk_${t1}_pop(st) ($t2 *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF($t1), st))
+#define sk_${t1}_pop(st) ($t2 *)sk_pop(CHECKED_STACK_OF($t1, st))
 #define sk_${t1}_sort(st) SKM_sk_sort($t1, (st))
 #define sk_${t1}_is_sorted(st) SKM_sk_is_sorted($t1, (st))
 
diff --git a/src/lib/libssl/src/util/pl/VC-32.pl b/src/lib/libssl/src/util/pl/VC-32.pl
index c3e29fda96..5f25fc41bf 100644
--- a/src/lib/libssl/src/util/pl/VC-32.pl
+++ b/src/lib/libssl/src/util/pl/VC-32.pl
@@ -138,8 +138,8 @@ else
 	}
 
 # generate symbols.pdb unconditionally
-$app_cflag.=" /Zi /Fd$tmp_def/app";
-$lib_cflag.=" /Zi /Fd$tmp_def/lib";
+$app_cflag.=" /Zi /Fd\$(TMP_D)/app";
+$lib_cflag.=" /Zi /Fd\$(TMP_D)/lib";
 $lflags.=" /debug";
 
 $obj='.obj';
@@ -195,7 +195,7 @@ if ($FLAVOR =~ /WIN64A/) {
 	my $ver=`nasm -v 2>NUL`;
 	my $vew=`nasmw -v 2>NUL`;
 	# pick newest version
-	$asm=($ver gt $vew?"nasm":"nasmw")." -f win32";
+	$asm=($ver ge $vew?"nasm":"nasmw")." -f win32";
 	$asmtype="win32n";
 	$afile='-o ';
 } else {
-- 
cgit v1.2.3-55-g6feb